Change application connection & security policies for your organization
Azure DevOps Services
Important
Azure DevOps no longer supports Alternate Credentials authentication since the beginning of March 2, 2020. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method (for example, personal access tokens). Learn more.
Learn how to manage your security policies and the policies that determine which applications can integrate with services and resources in your organization. By default, your organization allows access for most authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any application that previously had access gets an authentication error and has no access to your organization.
Application connection policies
To access your organization without asking for user credentials multiple times, applications use the following authentication methods.
OAuth to generate tokens for accessing REST APIs for Azure DevOps. The Organizations and Profiles APIs support only OAuth.
SSH authentication to generate encryption keys for using Linux, macOS, and Windows running Git for Windows, but you can't use Git credential managers or personal access tokens (PATs) for HTTPS authentication.
PATs to generate tokens for:
- Accessing specific resources or activities, like builds or work items
- Clients like Xcode and NuGet that require usernames and passwords as basic credentials and don't support Microsoft account and Azure Active Directory features like multi-factor authentication
- Accessing REST APIs for Azure DevOps
To remove access for PATs, you must revoke them.
Tenant level policies
You can use the tenant level policy to restrict creating new organizations to desired users only. Check restrict organization creation for more details.
Conditional access policies
Azure DevOps honors all conditional access policies 100% for our Web flows. For third-party client flow, like using a PAT with git.exe, we support IP fencing policies only - we don't support MFA policies. See the following examples:
- Policy 1 - Block all access from outside of IP range x, y, and z.
- Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
- Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
- Policy 2 - Require MFA when outside of IP range x, y, and z.
- Accessing Azure DevOps via the web, the user's allowed from IP x, y, and z. The user is prompted for MFA if outside of that list.
- Accessing Azure DevOps via alt-auth, the user's allowed from IP x, y, and z. If outside of that list, the user's blocked.
By default, your organization allows access for all authentication methods. You can limit access, but you must specifically restrict access for each method. When you deny access to an authentication method, no application can access your organization. Any app that previously had access gets an authentication error and has no access to your organization.
Note
We only support IP fencing conditional access policies for IPv4 only. Conditional access policies set based on IPv6 are not supported today. Some third-party extensions may require additional configuration changes.
Security policies
You can enable or disable the following security policy.
Allow public projects - Allows non-members of a project and users who aren't signed in read-only, limited access to the project's artifacts and services. Anonymous access is used to access both private and public repositories. Learn more at Make your project public and Enable anonymous access to projects for your organization.
Enable Azure Active Directory (Azure AD) Conditional Access Policy (CAP) validation - this policy is set to off by default and only applies to alternative credentials. This policy doesn't apply for CAPs set in Azure AD, no matter the settings in Azure DevOps.
You can require the following conditions, for example:
- Security group membership
- Location and network identity
- Specific operating system
- Enabled device in a management system
Depending on which conditions the user satisfies, you can require multi-factor authentication, further checks, or block access.
For more information, see the REST API reference article, section API version mapping.
Prerequisites
To change a policy, you need at least Basic access and organization Owner or Project Collection Administrator permissions. How do I find the organization Owner?
Manage a policy
Complete the following steps to change application connection, security, and user policies for your organization in Azure DevOps.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.
Select Policies, and then next to your policy, move the toggle to on or off.
