LW.

Glorified Notepad

New Rules for Azure DevOps Access: How to Set Up Conditional Access Properly

2025-07-02 Azure Security DevOps Tutorials

If you manage Azure DevOps in your organisation, there’s an important change coming. From 28 July 2025, Azure DevOps will stop relying on Azure Resource Manager (ARM) for sign-ins and token refresh. Any Conditional Access policies targeting ARM will no longer protect Azure DevOps.

To maintain security, you must create new Conditional Access policies that specifically target Azure DevOps.

Why Does This Matter?

Conditional Access enforces multi-factor authentication, location restrictions, and device compliance for cloud services. Without updated policies, users may bypass security controls when accessing Azure DevOps.

Microsoft has provided clear instructions for updating your setup.

Step-by-Step: Setting Up a Conditional Access Policy for Azure DevOps

Follow these steps to keep your organisation protected:

  1. Go to Conditional Access in Azure AD
    Open the Azure portal and navigate to Azure Active Directory > Security > Conditional Access > Policies.

  2. Create a New Policy
    Click New policy and give it a clear name, such as “ADO CAP Policy”.

  3. Assign Users or Groups
    Select which users or groups the policy should apply to—typically, everyone who needs Azure DevOps access.

  4. Target Azure DevOps as a Resource
    Under Target resources, select Select resources, then add Microsoft Visual Studio Team Services (the service name for Azure DevOps).

    Your policy setup should look similar to the screenshot below:

    Screenshot of Conditional Access policy targeting Azure DevOps

  5. Configure Conditions and Access Controls
    Set conditions such as device platform, location, or sign-in risk. Choose access controls, like requiring multi-factor authentication.

  6. Enable the Policy
    Start with Report-only mode to monitor impact. Once satisfied, switch to On.

Tips for a Smooth Transition

  • Test with a small group first.
  • Communicate new sign-in requirements to users.
  • Monitor sign-in logs and policy impact reports in Azure AD.
  • Review and update or retire old ARM-based policies.

Final Thoughts

Cloud security is always evolving. Updating your Conditional Access policies now will help keep your Azure DevOps environment secure.

For more details, see Microsoft’s official documentation: Azure DevOps Conditional Access Policies

Have you updated your policies yet? Any lessons learned or tips to share? Drop a comment below—keen to hear how others are handling these changes.

Azure DevOps Conditional Access Azure AD Cloud Security Access Policies
© 2025 LW - Powered by Azure CDN 🌌