Merge pull request #8013 from MicrosoftDocs/users/glmorale/sprint247releasenotes

Azure DevOps Sprint 257 release notes

Author: gloridelmorales

release-notes/2025/general/sprint-257-update.md

@@ -0,0 +1,17 @@
+---
+title: Azure DevOps release notes - Azure DevOps Sprint 257 Update
+description: See the Sprint 257 feature updates for Azure DevOps, including next steps.
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+---
+
+# Azure DevOps - Sprint 257 Update
+
+## Features
+
+[!INCLUDE [sprint-257-update-links](../includes/general/sprint-257-update-links.md)]
+
+[!INCLUDE [sprint-257-update](../includes/general/sprint-257-update.md)]
+
+[!INCLUDE [nextsteps](../includes/nextsteps.md)]

release-notes/2025/ghazdo/sprint-257-update.md

@@ -0,0 +1,17 @@
+---
+title: Azure DevOps release notes - GitHub Advanced Security for Azure DevOps 257 Update
+description: See the Sprint 257 feature updates for GitHub Advanced Security for Azure DevOps, including next steps.
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+---
+
+# GitHub Advanced Security for Azure DevOps - Sprint 257 Update
+
+## Features
+
+[!INCLUDE [sprint-257-update-links](../includes/ghazdo/sprint-257-update-links.md)]
+
+[!INCLUDE [sprint-257-update](../includes/ghazdo/sprint-257-update.md)]
+
+[!INCLUDE [nextsteps](../includes/nextsteps.md)]

release-notes/2025/includes/general/sprint-255-update-links.md

@@ -6,4 +6,5 @@ ms.date: 4/23/2025
 ms.topic: include
 ---
 
-- [Manage high privilege scopes, pipeline decorators, and unpublished extensions](#manage-high-privilege-scopes-pipeline-decorators-and-unpublished-extensions)
+- [Manage high privilege scopes, pipeline decorators, and unpublished extensions](#manage-high-privilege-scopes-pipeline-decorators-and-unpublished-extensions)
+- [Overlapping Secrets for OAuth apps](#overlapping-secrets-for-oauth-apps)

release-notes/2025/includes/general/sprint-255-update.md

@@ -15,4 +15,13 @@ We've added a new feature that flags these scopes on each organization's admin p
 > [!div class="mx-imgBorder"]
 > [![Screenshot of feedback box.](../../media/255-general-01.png "Screenshot of feedback box")](../../media/255-general-01.png#lightbox)
 
-For more information, visit  [documentation](/azure/devops/marketplace/manage-high-privilege-extensions) page.
+For more information, visit  [documentation](/azure/devops/marketplace/manage-high-privilege-extensions) page.
+
+### Overlapping Secrets for OAuth apps
+
+Azure DevOps has introduced Overlapping Secrets for OAuth apps—a new feature available on both UI and API designed to streamline secret rotation and reduce downtime. 
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of applications settings.](../../media/255-general-02.png "Screenshot of of applications settings.")](../../media/255-general-02.png#lightbox)
+
+With overlapping secrets, developers can generate a new secret while the old one remains valid, ensuring uninterrupted access during secret rotations. With this update, we also reduce the default secret validity period to 60 days.  As Azure DevOps OAuth apps approach deprecation in 2026, this update provides a critical security improvement for teams still relying on them. Try it today to simplify your secret management and improve resilience. Learn more in our blog post.

release-notes/2025/includes/general/sprint-257-update-links.md

@@ -0,0 +1,13 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.service: azure-devops
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+- [Restrict Personal Access Token (PAT) Creation Organization Policy now in Public Preview](#restrict-personal-access-token-pat-creation-organization-policy-now-in-public-preview)
+- [Removal of expired Azure DevOps OAuth Apps](#removal-of-expired-azure-devops-oauth-apps)
+- [Azure DevOps login flow no longer relies on Azure Resource Manager audience](#azure-devops-login-flow-no-longer-relies-on-azure-resource-manager-audience)
+- [New Microsoft Entra OAuth scopes](#new-microsoft-entra-oauth-scopes)
+- [Request Access URL availability](#request-access-url-availability)

release-notes/2025/includes/general/sprint-257-update.md

@@ -0,0 +1,35 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.service: azure-devops
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+### Restrict personal access token (PAT) creation organization policy now in public preview
+
+We’ve introduced a new organization-level policy in Azure DevOps—Restrict personal access token (PAT) creation—now available in public preview. This long-requested feature allows Project Collection Administrators to control who can create or regenerate PATs, helping reduce token sprawl and improve security. When enabled, only users on an allowlist can generate PATs, with optional support for packaging scopes. The policy also blocks global PAT usage unless explicitly permitted. Learn more about this policy and best practices for implementing this change in [our blog post](https://devblogs.microsoft.com/devops/restricting-pat-creation-in-azure-devops-is-now-in-preview/)!
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Restrict personal access token creation.](../../media/257-general-01.png "Screenshot of Restrict personal access token creation.")](../../media/257-general-01.png#lightbox)
+
+### Removal of expired Azure DevOps OAuth Apps
+
+As we prepare for the end-of-life for Azure DevOps OAuth apps in 2026, we'll begin regularly removing apps with secrets that have expired more than six months ago (180 days ago). App owners of these inactive apps will be informed and if there’s any further need for the app registration between now and Azure DevOps OAuth’s end-of-life in 2026, you are asked to rotate the app secret before June 9 when we begin app deletions. [Learn more in our blog post](https://devblogs.microsoft.com/devops/spring-cleaning-cta-for-azure-devops-oauth-apps-with-expired-or-long-living-secrets/).
+
+### Azure DevOps login flow no longer relies on Azure Resource Manager audience
+
+We've removed a dependency on the Azure Resource Manager (ARM) resource when logging in or refreshing Entra access tokens used to access Azure DevOps. The ARM resource is often associated with the [Azure portal](https://portal.azure.com), and admins may want to restrict which users in their tenant can access the portal through Conditional Access policy (CAP) enforcement.
+
+Due to ADO's previous reliance on ARM, admins had to permit all ADO users to bypass the ARM CAPs in order to use ADO. This is no longer necessary as we've removed the ARM resource audience requirement during signin and refresh token flows. 
+
+There remain a couple of notable exceptions. The following ​user groups may need continued access to ARM:
+1. Billing admins need access to ARM to setup billing and access subscriptions
+2. Service Connection creators require continued access to ARM for ARM role assignment and updates to MSIs.
+
+### New Microsoft Entra OAuth scopes
+Azure DevOps has introduced two new Microsoft Entra OAuth scopes, vso.pats and vso.pats_manage to enhance security and control over personal access token (PAT) lifecycle management APIs. These scopes are now required for delegated flows that involve PAT creation and management, replacing the previously broad user_impersonation scope. This change enables app owners to reduce the permissions needed by their app to access PAT APIs. Downscope your `user_impersonation` apps to the minimum scopes needed today!
+
+### Request Access URL availability
+
+Azure DevOps administrators can disable the [**Request Access**](/azure/devops/organizations/accounts/disable-request-access-policy?view=azure-devops) policy and provide a URL for users to request access to an organization or project. This URL, previously available only to new users, is now also shown to existing users on the 404 page. To maintain confidentiality, the request access URL is displayed regardless of the project's existence.

release-notes/2025/includes/ghazdo/sprint-257-update-links.md

@@ -0,0 +1,8 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+- [GitHub Advanced Security is now available as GitHub Secret Protection and Code Security for Azure DevOps](#github-advanced-security-is-now-available-as-github-secret-protection-and-code-security-for-azure-devops)

release-notes/2025/includes/ghazdo/sprint-257-update.md

@@ -0,0 +1,16 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+### GitHub Advanced Security is now available as GitHub Secret Protection and Code Security for Azure DevOps 
+
+GitHub Secret Protection and GitHub Code Security can now be purchased as standalone products on Azure DevOps for new customers.
+
+Secret Protection provides access to secret scanning, push protection, and security overview experiences. Code Security provides access to all dependency scanning, code scanning, and security overview experiences.
+
+All existing Advanced Security customers can continue using the bundled product experience without disruptions. If you're a current Advanced Security customer and interested in switching to the standalone products, contact Azure DevOps support via the Azure Portal. You can file a support ticket for the GitHub Advanced Security for Azure DevOps service and select `Billing migration from bundled to standalone products` as the problem type.
+
+For more information on these products, see the [Dev Blog](https://devblogs.microsoft.com/devops/github-secret-protection-and-github-code-security-for-azure-devops/).

release-notes/2025/includes/pipelines/sprint-257-update-links.md

@@ -0,0 +1,11 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+- [Managed DevOps Pools - Image Deprecations](#managed-devops-pools---image-deprecations)
+- [New Triggers page](#new-triggers-page)
+- [StringList parameter type](#stringlist-parameter-type)
+- [See the full YAML code of a pipeline run](#see-the-full-yaml-code-of-a-pipeline-run)

release-notes/2025/includes/pipelines/sprint-257-update.md

@@ -0,0 +1,150 @@
+---
+author: gloridelmorales
+ms.author: glmorale
+ms.date: 6/16/2025
+ms.topic: include
+---
+
+### Managed DevOps Pools - Image Deprecations
+
+Due to [Windows Server 2019 hosted image deprecation](/azure/devops/release-notes/2025/pipelines/sprint-256-update#windows-server-2019-hosted-image-deprecation-schedule) and [Ubuntu 20.04 deprecation](/azure/devops/release-notes/2025/pipelines/sprint-253-update#the-ubuntu-2004-pipeline-image-is-deprecated-and-will-be-retired-april-1), Managed DevOps Pools is deprecating the “Azure Pipelines – Windows Server 2019” image and Ubuntu 20.04 images. More details about the deprecations can be found [here](/azure/devops/managed-devops-pools/configure-images?view=azure-devops&branch=main&tabs=azure-portal#image-deprecation-schedule). You can read about life cycle of images offered by Managed DevOps Pools [here](/azure/devops/managed-devops-pools/configure-images?view=azure-devops&branch=main&tabs=azure-portal#image-lifecycle).
+
+### New Triggers page
+
+YAML pipelines provide you multiple powerful options to define when your pipeline should run. It's not always easy to reason if your pipeline is configured to run in response to an event, for example, a feeder pipeline completed. 
+
+This sprint, were introducing a **Triggers** page that gives you an overview of what triggers you have defined in your pipeline.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines Triggers.](../../media/257-pipelines-01.png "Screenshot of Pipelines Triggers page.")](../../media/257-pipelines-01.png#lightbox)
+
+Imagine you have the following YAML pipeline defined in the `main` branch of a repo. Consider there's also a `feature` branch that has the same YAML pipeline code.
+
+```yaml
+trigger:
+- main
+
+schedules:
+  - cron: 0 0 * * *
+    always: true
+    displayName: Nightly build
+    branches:
+      include:
+        - main
+
+resources:
+  pipelines:
+    - pipeline: FabrikamFiber
+      source: FabrikamFiber
+      trigger: true
+```
+
+When you navigate to the **Triggers** page, you see the following
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Continuous integration triggers.](../../media/257-pipelines-02.png "Screenshot of triggers page select branch with default branch main.")](../../media/257-pipelines-02.png#lightbox)
+
+Notice the default branch of the pipeline, `main`, is preselected. 
+
+You see there is a _Continuous integration trigger_ for this branch, and it's defined in the YAML file.
+
+When you navigate to the _Schedule triggers_, you see there are triggers defined, and you can see their details.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines schedule triggers.](../../media/257-pipelines-03.png "Screenshot of Pipelines schedule triggers details.")](../../media/257-pipelines-03.png#lightbox)
+
+When you navigate to the _Resource triggers_ section, you see the defined resource triggers and their details.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines resource triggers section.](../../media/257-pipelines-04.png "Screenshot of Pipelines resource triggers section.")](../../media/257-pipelines-04.png#lightbox)
+
+You can switch branches, from `main` to `feature`, to see what triggers you defined for the `feature` branch.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines continuous integration triggers.](../../media/257-pipelines-05.png "Screenshot of Pipelines continuous integration triggers.")](../../media/257-pipelines-05.png#lightbox)
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines scheduled triggers.](../../media/257-pipelines-06.png "Screenshot of Pipelines scheduled triggers.")](../../media/257-pipelines-06.png#lightbox)
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines continuous resource triggers.](../../media/257-pipelines-07.png "Screenshot of Pipelines continuous resource triggers.")](../../media/257-pipelines-07.png#lightbox)
+
+In the _Resource triggers_ tab, when not on the default branch, you get a warning telling you the triggers defined for this branch are ignored.
+
+When trigger definitions were not correctly processed by the system, you get a warning and indications on how to solve the problem.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Pipelines schedule triggers with warning and indications on how to solve triggers are not processed.](../../media/257-pipelines-09.png "Screenshot of Pipelines schedule triggers with warning and indications on how to solve triggers are not processed.")](../../media/257-pipelines-07.png#lightbox)
+
+### StringList parameter type
+
+One of the top requested YAML pipelines features in the Developer Community is to [define parameters that contain a list of items](https://developercommunity.visualstudio.com/t/parameters-that-support-multiselect/1224839).
+
+Starting with this sprint, we've added a new parameter type, named `StringList`, that provides this capability.
+
+Say you want to allow those who queue pipeline runs to choose which regions they want to deploy a payload to. Now you can do this as shown in the example below.
+
+```yaml
+parameters:
+- name: regions
+  type: stringList
+  displayName: Regions
+  values:
+    - WUS
+    - CUS
+    - EUS
+  default: 
+    - WUS
+    - CUS
+    - EUS 
+
+stages:
+- ${{ each stage in parameters.regions}}:
+  - stage: ${{stage}}
+    displayName: Deploy to ${{stage}}
+    jobs:
+    - job:
+      steps:
+      - script: ./deploy ${{stage}}
+```
+
+When queuing this pipeline, you have the option of choosing multiple regions to deploy to, as shown in the following screenshot.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of Run pipeline region multi selection.](../../media/257-pipelines-08.png "Screenshot of Run pipeline region multi selection.")](../../media/257-pipelines-08.png#lightbox)
+
+### See the full YAML code of a pipeline run
+
+YAML pipelines are composable. You may extend a template, to ensure your pipelines runs the necessary static analysis tools, and include templates to run common stages or jobs or tasks.
+
+Debugging such pipelines was not easy, because you couldn't see the full YAML code it was running.
+
+Say you have the following pipeline:
+```yaml
+parameters:
+- name: PoolName
+  type: string
+  default: Azure Pipelines
+- name: VmImage
+  type: string
+  default: ubuntu latest
+
+extends:
+  template: security-enforcing-template.yml
+  parameters:
+    jobs:
+    - template: job.monitoring.yml
+    - template: job.build.yml
+      parameters:
+        PoolName: ${{parameters.PoolName}}
+        VmImage: ${{parameters.VmImage}}
+```
+
+There are three templates used here. Each template may use conditional expressions based on parameter and variable values to determine the actual jobs or steps to run.
+
+Furthermore, when looking at old pipeline runs, you don't know if the pipeline's code is the same now as when the run ran. 
+
+In this sprint, we're adding a new functionality that allows you to easily see the full YAML code of a pipeline run.
+
+> [!div class="mx-imgBorder"]
+> [![Screenshot of pipeline summary with see full YAML option.](../../media/257-pipelines-10.png "Screenshot of pipeline summary with see full YAML option.")](../../media/257-pipelines-10.png#lightbox)