Merge pull request #8065 from MicrosoftDocs/users/glmorale/updatesprint257

gloridelmorales · web-flow · commit a18158e0d402 · 2025-06-30T11:12:32.000-07:00
Update sprint 257 release notes
diff --git a/release-notes/2025/includes/general/sprint-257-update-links.md b/release-notes/2025/includes/general/sprint-257-update-links.md
@@ -8,6 +8,5 @@ ms.topic: include
 
 - [Restrict Personal Access Token (PAT) Creation Organization Policy now in Public Preview](#restrict-personal-access-token-pat-creation-organization-policy-now-in-public-preview)
 - [Removal of expired Azure DevOps OAuth Apps](#removal-of-expired-azure-devops-oauth-apps)
-- [Azure DevOps login flow no longer relies on Azure Resource Manager audience](#azure-devops-login-flow-no-longer-relies-on-azure-resource-manager-audience)
 - [New Microsoft Entra OAuth scopes](#new-microsoft-entra-oauth-scopes)
 - [Request Access URL availability](#request-access-url-availability)
diff --git a/release-notes/2025/includes/general/sprint-257-update.md b/release-notes/2025/includes/general/sprint-257-update.md
@@ -17,16 +17,6 @@ We’ve introduced a new organization-level policy in Azure DevOps—Restrict pe
 
 As we prepare for the end-of-life for Azure DevOps OAuth apps in 2026, we'll begin regularly removing apps with secrets that have expired more than six months ago (180 days ago). App owners of these inactive apps will be informed and if there’s any further need for the app registration between now and Azure DevOps OAuth’s end-of-life in 2026, you are asked to rotate the app secret before June 9 when we begin app deletions. [Learn more in our blog post](https://devblogs.microsoft.com/devops/spring-cleaning-cta-for-azure-devops-oauth-apps-with-expired-or-long-living-secrets/).
 
-### Azure DevOps login flow no longer relies on Azure Resource Manager audience
-
-We've removed a dependency on the Azure Resource Manager (ARM) resource when logging in or refreshing Entra access tokens used to access Azure DevOps. The ARM resource is often associated with the [Azure portal](https://portal.azure.com), and admins may want to restrict which users in their tenant can access the portal through Conditional Access policy (CAP) enforcement.
-
-Due to ADO's previous reliance on ARM, admins had to permit all ADO users to bypass the ARM CAPs in order to use ADO. This is no longer necessary as we've removed the ARM resource audience requirement during signin and refresh token flows. 
-
-There remain a couple of notable exceptions. The following ​user groups may need continued access to ARM:
-1. Billing admins need access to ARM to setup billing and access subscriptions
-2. Service Connection creators require continued access to ARM for ARM role assignment and updates to MSIs.
-
 ### New Microsoft Entra OAuth scopes
 Azure DevOps has introduced two new Microsoft Entra OAuth scopes, vso.pats and vso.pats_manage to enhance security and control over personal access token (PAT) lifecycle management APIs. These scopes are now required for delegated flows that involve PAT creation and management, replacing the previously broad user_impersonation scope. This change enables app owners to reduce the permissions needed by their app to access PAT APIs. Downscope your `user_impersonation` apps to the minimum scopes needed today!
 
diff --git a/release-notes/features-timeline-released.md b/release-notes/features-timeline-released.md
@@ -47,11 +47,10 @@ You can also [view the build numbers for each version](#azure-devops-server-buil
     <td>Ability to associate Java, JavaScript and Python tests to manual test cases</td><td>Test Plans</td><td>Future</td></tr>
 <tr>
 <tr>
-    <td rowspan="14"><a href="2025/sprint-257-update.md" data-raw-source="[16 June 2025](2025/sprint-257-update.md)"> June 16 2025</a></td>
+    <td rowspan="13"><a href="2025/sprint-257-update.md" data-raw-source="[16 June 2025](2025/sprint-257-update.md)"> June 16 2025</a></td>
     <td>GitHub Advanced Security is now available as GitHub Secret Protection and Code Security for Azure DevOps</td><td>GitHub Advanced Security for Azure DevOps</td><td>N/A</td></tr>
     <td>Restrict personal access token (PAT) creation organization policy now in public preview</td><td>General</td><td>Future</td></tr>
     <td>Removal of expired Azure DevOps OAuth Apps</td><td>General</td><td>N/A</td></tr>
-    <td>Azure DevOps login flow no longer relies on Azure Resource Manager audience</td><td>General</td><td>Future</td></tr>
     <td>New Microsoft Entra OAuth scopes</td><td>General</td><td>Future</td></tr>
     <td>Request Access URL availability</td><td>General</td><td>Future</td></tr>
     <td>Managed DevOps Pools - Image Deprecations</td><td>Pipelines</td><td>N/A</td></tr>
