|
1 | 1 | --- |
2 | 2 | title: Change application connection and security policies for organizations |
3 | 3 | titleSuffix: Azure DevOps Services |
4 | | -description: Manage security policies for accessing organization through conditional access, OAuth, SSH, and personal access tokens (PATs). |
| 4 | +description: Manage security policies for accessing organization through Conditional Access, OAuth, SSH, and personal access tokens (PATs). |
5 | 5 | ms.subservice: azure-devops-organizations |
6 | 6 | ms.assetid: 2fdfbfe2-b9b2-4d61-ad3e-45f11953ef3e |
7 | 7 | ms.topic: how-to |
@@ -37,38 +37,39 @@ You can limit access to these authentication methods by disabling the following |
37 | 37 |
|
38 | 38 | When you deny access to an authentication method, no application can access your organization through that method. Any application that previously had access encounter authentication errors and lose access. |
39 | 39 |
|
40 | | -## Enforce conditional access policies |
| 40 | +## Enforce Conditional Access policies |
41 | 41 |
|
42 | | -Microsoft Entra ID lets tenant admins control which users can access Microsoft resources using [Conditional Access policies (CAPs)](/azure/active-directory/conditional-access/overview). Admins set specific conditions users must meet to gain access, such as: |
| 42 | +Microsoft Entra ID lets tenant admins control which users can access Microsoft resources using [Conditional Access policies](/azure/active-directory/conditional-access/overview). Admins set specific conditions users must meet to gain access, such as: |
43 | 43 |
|
44 | 44 | - Membership in a specific Microsoft Entra security group |
45 | 45 | - Location or network requirements |
46 | 46 | - Use of a particular operating system |
47 | 47 | - Use of a managed and enabled device |
48 | 48 |
|
49 | | -Based on these conditions, you can grant access, require more checks like multifactor authentication, or block access entirely. Learn more about [conditional access policies](/azure/active-directory/active-directory-conditional-access) and [how to set one up for Azure DevOps](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps) in the Microsoft Entra documentation. |
| 49 | +Based on these conditions, you can grant access, require more checks like multifactor authentication, or block access entirely. Learn more about [Conditional Access policies](/azure/active-directory/active-directory-conditional-access) and [how to set one up for Azure DevOps](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps) in the Microsoft Entra documentation. |
50 | 50 |
|
51 | | -### CAP support on Azure DevOps |
| 51 | +<a name='cap-support-on-azure-devops'></a> |
| 52 | +### Conditional Access policy support on Azure DevOps |
52 | 53 |
|
53 | 54 | When you sign in to the web portal of a Microsoft Entra ID-backed organization, Microsoft Entra ID validates all Conditional Access policies set by tenant administrators. After [modernizing our web authentication stack to use Microsoft Entra tokens](https://devblogs.microsoft.com/devops/full-web-support-for-conditional-access-policies-across-azure-devops-and-partner-web-properties/), Azure DevOps now enforces Conditional Access policy validation on all interactive (web) flows. |
54 | 55 |
|
55 | 56 | - Meet sign-in policies when using PATs on REST API calls that rely on Microsoft Entra. |
56 | | -- Remove Azure DevOps as a resource from the CAP, which prevents CAPs from applying. |
57 | | -- Enforce MFA policies on web flows only; block access for non-interactive flows if users don't meet a CAP. |
| 57 | +- Remove Azure DevOps as a resource from the Conditional Access policy, which prevents Conditional Access policies from applying. |
| 58 | +- Enforce MFA policies on web flows only; block access for non-interactive flows if users don't meet a Conditional Access policy. |
58 | 59 |
|
59 | 60 | ### IP-based conditions |
60 | 61 |
|
61 | 62 | If you enable the **IP Conditional Access policy validation on non-interactive flows** policy, Azure DevOps checks IP fencing policies on non-interactive flows, such as when you use a PAT to make a REST API call. |
62 | 63 |
|
63 | | -Azure DevOps supports IP-fencing conditional access policies (CAPs) for both IPv4 and IPv6 addresses. If CAPs block your IPv6 address, ask your tenant administrator to update the policy to allow your IPv6 address. Also, consider including the IPv4-mapped address for any default IPv6 address in all CAP conditions. |
| 64 | +Azure DevOps supports IP-fencing Conditional Access policies for both IPv4 and IPv6 addresses. If Conditional Access policies block your IPv6 address, ask your tenant administrator to update the policy to allow your IPv6 address. Also, consider including the IPv4-mapped address for any default IPv6 address in all Conditional Access policy conditions. |
64 | 65 |
|
65 | | -If users access the Microsoft Entra sign-in page from a different IP address than the one used to access Azure DevOps resources (which can happen with VPN tunneling), review your VPN configuration or networking setup. Make sure your tenant administrator includes all relevant IP addresses in the CAPs. |
| 66 | +If users access the Microsoft Entra sign-in page from a different IP address than the one used to access Azure DevOps resources (which can happen with VPN tunneling), review your VPN configuration or networking setup. Make sure your tenant administrator includes all relevant IP addresses in the Conditional Access policies. |
66 | 67 |
|
67 | | -### Azure Resource Manager audience and CAPs |
| 68 | +### Azure Resource Manager audience and Conditional Access policies |
68 | 69 |
|
69 | | -Azure DevOps doesn't depend on the Azure Resource Manager (ARM) resource (`https://management.azure.com`) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant that administrators had to allow all Azure DevOps users to bypass ARM CAPs to ensure access. |
| 70 | +Azure DevOps doesn't depend on the Azure Resource Manager (ARM) resource (`https://management.azure.com`) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant that administrators had to allow all Azure DevOps users to bypass ARM Conditional Access policies to ensure access. |
70 | 71 |
|
71 | | -Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage CAPs more effectively without configuring specific audience settings for ARM. This approach streamlines authentication, reduces token management complexity, and lets you apply security policies more consistently across your Azure environments. Organizations can focus on broader access controls, improving compliance and security posture without being limited by audience-specific configurations. |
| 72 | +Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Conditional Access policies more effectively without configuring specific audience settings for ARM. This approach streamlines authentication, reduces token management complexity, and lets you apply security policies more consistently across your Azure environments. Organizations can focus on broader access controls, improving compliance and security posture without being limited by audience-specific configurations. |
72 | 73 |
|
73 | 74 | > [!NOTE] |
74 | 75 | > There are the following exceptions where continued access to ARM is still required: |
|
0 commit comments