Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
With Microsoft Entra ID, tenant admins control which users access Microsoft resources through Conditional Access policies. Admins set specific conditions users must meet to gain access, such as:
- Membership in a specific Microsoft Entra security group
- Location or network requirements
- Use of a particular operating system
- Use of a managed and enabled device
Based on these conditions, you can grant access, require more checks like multifactor authentication, or block access entirely. For more information, see Conditional Access policies in the Microsoft Entra documentation.
Tip
You can use AI to help with this task later in this article, or see Enable AI assistance with Azure DevOps MCP Server to get started.
Prerequisites
| Category | Requirements |
|---|---|
| Permissions | At least Conditional Access Administrator in your tenant. For more information, see Create a Conditional Access policy. |
Create a Conditional Access policy for Azure DevOps
Warning
External authentication methods aren't currently compatible with authentication strength. Use the Require multifactor authentication grant control. This example uses the built-in multifactor authentication strength, but some organizations might choose to use a stronger authentication strength like passwordless or phishing-resistant.
- Sign in to the Microsoft Entra admin center as at least a Conditional Access Administrator.
- Browse to Entra ID > Conditional Access > Policies.
- Select New policy.
- Enter a name for your policy. Create a meaningful standard for the names of your policies.
- Under Assignments, select Users or workload identities.
- Under Include, select All users.
- Under Exclude:
- Select Users and groups.
- Choose your organization's emergency access or break-glass accounts.
- Select Users and groups.
- Under Target resources > Resources (formerly cloud apps) > Include, Select resources, add "Azure DevOps" or "Microsoft Visual Studio Team Services" resource (resource ID: 499b84ac-1321-427f-aa17-267ca6975798) to the list of target resources.
- Under Access controls > Grant, select Grant access, Require authentication strength, select Multifactor authentication, and then select Select.
- Confirm your settings and set Enable policy to Report-only.
- Select Create to enable your policy.
After confirming your settings by using policy impact or report-only mode, move the Enable policy toggle from Report-only to On.
Conditional Access behavior on web
When you sign in to the web portal of a Microsoft Entra ID-backed organization, Microsoft Entra ID validates all Conditional Access policies set by tenant administrators. After modernizing the web authentication stack to use Microsoft Entra tokens, Azure DevOps enforces Conditional Access policy validation on all interactive (web) flows.
- Meet sign-in policies when you use personal access tokens (PATs) on REST API calls that rely on Microsoft Entra.
- Remove Azure DevOps as a resource from the Conditional Access policy to prevent Conditional Access policies from applying.
- Enforce MFA policies on web flows only. Block access for non-interactive flows if users don't meet a Conditional Access policy.
IP-based conditions
| Category | Requirements |
|---|---|
| Permissions | You must be an Project Collection Administrator to enable this policy. |
If you enable the IP Conditional Access policy validation on non-interactive flows organization policy on the Organization Settings page, Azure DevOps checks IP fencing policies on non-interactive flows, such as when you use a PAT to make a REST API call.
Azure DevOps supports IP-fencing Conditional Access policies for both IPv4 and IPv6 addresses. If Conditional Access policies block your IPv6 address, ask your tenant administrator to update the policy to allow your IPv6 address. Also, consider including the IPv4-mapped address for any default IPv6 address in all Conditional Access policy conditions.
If users access the Microsoft Entra sign-in page from a different IP address than the one used to access Azure DevOps resources (common with VPN tunneling), review your VPN configuration or networking setup. Confirm that your tenant administrator includes all relevant IP addresses in the Conditional Access policies.
Azure Resource Manager audience
Note
These changes took effect in September 2025. For more information, see the Azure DevOps blog post.
Azure DevOps doesn't depend on the Azure Resource Manager (ARM) resource (https://management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the Azure Resource Manager audience during sign-in and token refresh flows, which meant administrators had to allow all Azure DevOps users to bypass Azure Resource Manager Conditional Access policies.
If you previously set up a Conditional Access policy for Azure Resource Manager or the associated Microsoft Azure classic deployment model application, that policy no longer covers Azure DevOps sign-ins. Set up a new Azure DevOps Conditional Access policy for continued coverage.
The following groups still require access to Azure Resource Manager. Consider adding them as exclusions to any Azure Resource Manager or Microsoft Azure classic deployment model Conditional Access policies.
- Billing administrators need access to Azure Resource Manager to set up billing and access subscriptions.
- Service Connection creators require access to Azure Resource Manager for Azure Resource Manager role assignments and updates to managed service identities (MSIs).
Continuous Access Evaluation
Azure DevOps supports Continuous Access Evaluation (CAE) via Microsoft Entra ID, which enables near real-time enforcement of Conditional Access policies. With CAE, access tokens can be revoked immediately when critical events occur—such as when a user is disabled, a password changes, or a location/IP shift happens—without waiting for token expiration. This approach enhances security, reduces operational overhead, and improves resilience during identity service outages.
App developers who use the latest .NET client library version (20.259.0-preview and later) should support CAE-enabled tokens by gracefully handling claims challenges.
Use AI to manage Conditional Access policies
If you have the Azure DevOps MCP Server configured, you can use AI assistants to review and manage Conditional Access policy settings for your Azure DevOps organization using natural language prompts. The MCP Server provides your AI assistant with secure access to your Azure DevOps data, allowing you to check policy configurations and organization security settings without navigating through multiple portals.
Example prompts for Conditional Access policies
| Task | Example prompt |
|---|---|
| Troubleshoot blocked access | A user <user-email> can't access <organization-name> from their home network - what conditional access policies might be blocking them? |
| Audit policy coverage | What authentication and conditional access policies are currently enforced for <organization-name> and are there any gaps? |
| Check IP-based restrictions | Is IP conditional access validation enabled for <organization-name> and which client flows does it apply to - web, non-interactive, both? |
| Verify compliant device policy | Can users access <organization-name> from personal devices, or is there a compliant/hybrid-joined device requirement? |
| Test third-party tool access | If I have a conditional access policy requiring MFA on <organization-name>, will third-party CI/CD tools using PATs be affected? |
| Review policy for guest users | What conditional access policies apply to external guest users accessing <organization-name> and do they differ from member policies? |
Tip
If you're using Visual Studio Code, agent mode is especially helpful for reviewing Conditional Access policy configurations across your organizations.
- To avoid using stale or cached data from previous queries, add to your prompt,
Do not use previously fetched data.