|
| 1 | +--- |
| 2 | +title: Configure Conditional Access Policies for Dev Tunnels Service |
| 3 | +description: Learn how to configure conditional access policies for the Dev tunnels service in Microsoft Entra ID to secure remote development environments and restrict access based on device management and IP ranges. |
| 4 | +author: RoseHJM |
| 5 | +contributors: |
| 6 | +ms.topic: concept-article |
| 7 | +ms.date: 05/16/2025 |
| 8 | +ms.author: rosemalcolm |
| 9 | +ms.reviewer: rosemalcolm |
| 10 | +--- |
| 11 | + |
| 12 | +# Background |
| 13 | + |
| 14 | +The Dev Box service gives you an alternative connectivity method on top of Dev tunnels. You can develop remotely while coding locally or keep development going during AVD outages or poor network performance. Many large enterprises using Dev Box have strict security and compliance policies, and their code is valuable to their business. Restricting Dev tunnels with conditional access policies is crucial for these controls. |
| 15 | + |
| 16 | +## Goals |
| 17 | + |
| 18 | +- Let Dev tunnels connect from managed devices, but deny connections from unmanaged devices. |
| 19 | + |
| 20 | +- Let Dev tunnels connect from specific IP ranges, but deny connections from other IP ranges. |
| 21 | + |
| 22 | +- Support other regular CA configurations. |
| 23 | + |
| 24 | +- Conditional access policies apply to both the VSCode application and VSCode web. |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +## CA Configurations |
| 29 | + |
| 30 | +The conditional access policies work correctly for the Dev tunnels service. Because registering the Dev tunnels service app to a tenant and making it available to the CA picker is unique, this article documents the steps for engineering, PM, and technical writers. |
| 31 | + |
| 32 | +### Register Dev tunnels service to a tenant |
| 33 | + |
| 34 | +According to [Apps & service principals in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals?tabs=browser), a service principal is created in each tenant where the application is used. However, this doesn't apply to the Dev tunnels service. This article doesn't explore the root cause. If you know about app definitions, review the [Dev tunnels service app registration specification](https://msazure.visualstudio.com/One/_git/AAD-FirstPartyApps?path=/Customers/Configs/AppReg/46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2/AppReg.Parameters.Production.json&version=GBmaster&_a=contents). |
| 35 | + |
| 36 | +Therefore, we are using [Microsoft.Graph PowerShell](/powershell/module/microsoft.graph.authentication/connect-mggraph?view=graph-powershell-1.0) to register the app to a tenant. |
| 37 | + |
| 38 | +1. Install PowerShell 7.x |
| 39 | + |
| 40 | +1. Follow [Install the Microsoft Graph PowerShell SDK | Microsoft Learn](/powershell/microsoftgraph/installation?view=graph-powershell-1.0) to install Microsoft.Graph PowerShell |
| 41 | + |
| 42 | +1. Run the following commands |
| 43 | + |
| 44 | +1. Go to "Microsoft Entra ID" -> "Manage" -> "Enterprise applications" to verify if the Dev tunnels service is registered. |
| 45 | + |
| 46 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image1.png" alt-text="Screenshot of the Enterprise applications page in Microsoft Entra ID, showing the Dev tunnels service registration."::: |
| 47 | + |
| 48 | +### Enable the Dev tunnels service for the CA picker |
| 49 | + |
| 50 | +The Entra ID team is working on removing the need to onboard apps for them to appear in the app picker, with delivery expected in May. Therefore, we are not onboarding Dev tunnel service to the CA picker. Instead, target the Dev tunnels service in a CA policy using [Custom Security Attributes](/entra/identity/conditional-access/concept-filter-for-applications). |
| 51 | + |
| 52 | +1. Follow [Add or deactivate custom security attribute definitions in Microsoft Entra ID](/entra/fundamentals/custom-security-attributes-add?tabs=ms-powershell) to add the following Attribute set and New attributes. |
| 53 | + |
| 54 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image2.png" alt-text="Screenshot of the custom security attribute definition process in Microsoft Entra ID."::: |
| 55 | + |
| 56 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image3.png" alt-text="Screenshot of the new attribute creation in Microsoft Entra ID."::: |
| 57 | + |
| 58 | +1. Follow [Create a conditional access policy](/entra/identity/conditional-access/concept-filter-for-applications#create-a-conditional-access-policy) to create a conditional access policy. |
| 59 | + |
| 60 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image4.png" alt-text="Screenshot of the conditional access policy creation process for Dev tunnels service."::: |
| 61 | + |
| 62 | +1. Follow [Configure custom attributes](/entra/identity/conditional-access/concept-filter-for-applications#configure-custom-attributes) to configure the custom attribute for the Dev tunnels service. |
| 63 | + |
| 64 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image5.png" alt-text="Screenshot of configuring custom attributes for the Dev tunnels service in Microsoft Entra ID."::: |
| 65 | + |
| 66 | +### Testing |
| 67 | + |
| 68 | +1. Turn off the BlockDevTunnelCA |
| 69 | + |
| 70 | +1. Create a DevBox in the test tenant and run the following commands inside it. Dev tunnels can be created and connected externally. |
| 71 | + |
| 72 | +1. Enable the BlockDevTunnelCA. |
| 73 | + |
| 74 | + 1. New connections to the existing Dev tunnels can't be established. Please test with an alternate browser if a connection has already been established. |
| 75 | + |
| 76 | + 1. Any new attempts to execute the commands in step #2 will fail. Both errors are: |
| 77 | + |
| 78 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image6.png" alt-text="Screenshot of error message when Dev tunnels connection is blocked by conditional access policy."::: |
| 79 | + |
| 80 | +1. The Entra ID sign-in logs show these entries. |
| 81 | + |
| 82 | +:::image type="content" source="media/configure-conditional-access-policies-for-dev-tunnels-service/image7.png" alt-text="Screenshot of Entra ID sign-in logs showing entries related to Dev tunnels conditional access policy."::: |
| 83 | + |
| 84 | +## Limitations |
| 85 | + |
| 86 | +- Configure conditional access policies for Dev Box service to manage Dev tunnels for Dev Box users. |
| 87 | + |
| 88 | +- Limit Dev tunnels that are not managed by the Dev Box service. In the context of Dev Boxes, if the Dev tunnels GPO is configured **to allow only selected Microsoft Entra tenant IDs**, Conditional Access policies can also restrict self-created Dev tunnels. |
| 89 | + |
| 90 | +## Related content |
| 91 | +- [Conditional Access policies](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) |
0 commit comments