Change application connection & security policies for your organization

Azure DevOps Services

Learn how to manage your security policies and the policies that determine which applications can integrate with services and resources in your organization. By default, your organization allows access for most authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any application that previously had access gets an authentication error and has no access to your organization.

Application connection policies

To access your organization without asking for user credentials multiple times, applications use the following authentication methods.

• OAuth to generate tokens for accessing REST APIs for Azure DevOps. The Organizations and Profiles APIs support only OAuth.

• SSH authentication to generate encryption keys for using Linux, macOS, and Windows running Git for Windows, but you can't use Git credential managers or personal access tokens (PATs) for HTTPS authentication.

• PATs to generate tokens for:

  • Accessing specific resources or activities, like builds or work items
  • Clients like Xcode and NuGet that require usernames and passwords as basic credentials and don't support Microsoft account and Azure Active Directory features like multi-factor authentication
  • Accessing REST APIs for Azure DevOps

To remove access for PATs, you must revoke them.

Tenant level policies

You can use the tenant level policy to restrict creating new organizations to desired users only. Check restrict organization creation for more details.

Conditional access policies

Azure DevOps honors all conditional access policies 100% for our Web flows. For third-party client flow, like using a PAT with git.exe, we support IP fencing policies only - we don't support MFA policies. See the following examples:

• Policy 1 - Block all access from outside of IP range x, y, and z.
  • Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
  • Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
• Policy 2 - Require MFA when outside of IP range x, y, and z.
  • Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. The user is prompted for MFA if outside of that list.
  • Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.

By default, your organization allows access for all authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any app that previously had access gets an authentication error and has no access to your organization.

Security policies

You can enable or disable the following security policy.

• Allow public projects - Allows non-members of a project and users who aren't signed in read-only, limited access to the project's artifacts and services. Anonymous access is used to access both private and public repositories. Learn more at Make your project public and Enable anonymous access to projects for your organization.

• Enable Azure Active Directory (Azure AD) Conditional Access Policy (CAP) validation - this policy is set to off by default and only applies to other authentication methods aside from the web flow. Azure AD Conditional Access is applied for the web flow regardless of this policy setting.

  You can require the following conditions, for example:

  • Security group membership
  • Location and network identity
  • Specific operating system
  • Enabled device in a management system

  Depending on which conditions the user satisfies, you can require multi-factor authentication, further checks, or block access.

  For more information, see the REST API reference article, section API version mapping.

Prerequisites

To change a policy, you need at least Basic access and organization Owner or Project Collection Administrator permissions. How do I find the organization Owner?

Manage a policy

Complete the following steps to change application connection, security, and user policies for your organization in Azure DevOps.

1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

2. Select Organization settings.

   

3. Select Policies, and then next to your policy, move the toggle to on or off.

Related articles

• Disable Request Access Policy
• Restrict users from creating new organizations with Azure AD policy
• Restrict Team and Project Administrators from inviting new users
• What is Conditional Access in Azure Active Directory?
• Detailed instructions and requirements for Conditional Access