Change application connection & security policies for your organization

Azure DevOps Services

Important

Azure DevOps no longer supports Alternate Credentials authentication since the beginning of March 2, 2020. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method (for example, personal access tokens). Learn more.

Learn how to manage your security policies and the policies that determine which applications can integrate with services and resources in your organization. By default, your organization allows access for most authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any application that previously had access gets an authentication error and has no access to your organization.

Application connection policies

To access your organization without asking for user credentials multiple times, applications use the following authentication methods.

To remove access for PATs, you must revoke them.

Tenant level policies

You can use the tenant level policy to restrict creating new organizations to desired users only. Check restrict organization creation for more details.

Conditional access policies

Azure DevOps honors all conditional access policies 100% for our Web flows. For third-party client flow, like using a PAT with git.exe, we support IP fencing policies only - we don't support MFA policies. See the following examples:

  • Policy 1 - Block all access from outside of IP range x, y, and z.
    • Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
    • Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
  • Policy 2 - Require MFA when outside of IP range x, y, and z.
    • Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. The user is prompted for MFA if outside of that list.
    • Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.

By default, your organization allows access for all authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any app that previously had access gets an authentication error and has no access to your organization.

Note

We only support IP fencing conditional access policies for IPv4 only. Conditional access policies set based on IPv6 are not supported today. Some third-party extensions may require additional configuration changes.

Security policies

You can enable or disable the following security policy.

  • Allow public projects - Allows non-members of a project and users who aren't signed in read-only, limited access to the project's artifacts and services. Anonymous access is used to access both private and public repositories. Learn more at Make your project public and Enable anonymous access to projects for your organization.

  • Enable Azure Active Directory (Azure AD) Conditional Access Policy (CAP) validation - this policy is set to off by default and only applies to alternative credentials. This policy doesn't apply for CAPs set in Azure AD, no matter the settings in Azure DevOps.

    You can require the following conditions, for example:

    • Security group membership
    • Location and network identity
    • Specific operating system
    • Enabled device in a management system

    Depending on which conditions the user satisfies, you can require multi-factor authentication, further checks, or block access.

    For more information, see the REST API reference article, section API version mapping.

Prerequisites

To change a policy, you need at least Basic access and organization Owner or Project Collection Administrator permissions. How do I find the organization Owner?

Manage a policy

Complete the following steps to change application connection, security, and user policies for your organization in Azure DevOps.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select gear icon Organization settings.

    Screenshot of Organization settings button, preview page.

  3. Select Policies, and then next to your policy, move the toggle to on or off.

Screenshot of select policy, and then turn On or Off.