Change application connection & security policies for your organization

This article shows how to manage your organization's security policies that determine how users and applications can access services and resources in your organization. You can access most of these policies in Organization settings.

Prerequisites

Manage a policy

To update application connection, security, or user policies for your organization, follow these steps:

1. Sign in to your organization at https://dev.azure.com/{Your_Organization}.

2. Select Organization settings.

   

3. Select Policies, then toggle the desired policy on or off.

   

Restrict authentication methods

To allow seamless access to your organization without repeatedly prompting for user credentials, applications can use authentication methods, like OAuth, SSH, and personal access token (PATs). By default, all existing organizations allow access for all authentication methods.

You can limit access to these authentication methods by disabling the following application connection policies:

• Third-party application access via OAuth: Enable Azure DevOps OAuth apps to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to Azure DevOps OAuth apps, enable this policy to ensure these apps can access resources in your organization. This policy doesn't affect Microsoft Entra ID OAuth app access.
• SSH authentication: Enable applications to connect to your organization's Git repos through SSH.
• Tenant admins can restrict global personal access token creation, restrict full-scoped personal access token creation, and enforce maximum personal access token lifespan through tenant-level policies on the Microsoft Entra settings page. Add Microsoft Entra users or groups to exempt them from these policies.
• Organization admins can restrict personal access token creation in their respective organizations. Subpolicies allow admins to permit the creation of packaging-only PATs or the creation of any-scope PATs to allowlisted Microsoft Entra users or groups.

When you deny access to an authentication method, no application can access your organization through that method. Any application that previously had access encounter authentication errors and lose access.

Enforce Conditional Access policies

Microsoft Entra ID lets tenant admins control which users can access Microsoft resources using Conditional Access policies. Admins set specific conditions users must meet to gain access, such as:

• Membership in a specific Microsoft Entra security group
• Location or network requirements
• Use of a particular operating system
• Use of a managed and enabled device

Based on these conditions, you can grant access, require more checks like multifactor authentication, or block access entirely. Learn more about Conditional Access policies and how to set one up for Azure DevOps in the Microsoft Entra documentation.

Conditional Access policy support on Azure DevOps

When you sign in to the web portal of a Microsoft Entra ID-backed organization, Microsoft Entra ID validates all Conditional Access policies set by tenant administrators. After modernizing our web authentication stack to use Microsoft Entra tokens, Azure DevOps now enforces Conditional Access policy validation on all interactive (web) flows.

• Meet sign-in policies when using PATs on REST API calls that rely on Microsoft Entra.
• Remove Azure DevOps as a resource from the Conditional Access policy, which prevents Conditional Access policies from applying.
• Enforce MFA policies on web flows only; block access for non-interactive flows if users don't meet a Conditional Access policy.

IP-based conditions

If you enable the IP Conditional Access policy validation on non-interactive flows policy, Azure DevOps checks IP fencing policies on non-interactive flows, such as when you use a PAT to make a REST API call.

Azure DevOps supports IP-fencing Conditional Access policies for both IPv4 and IPv6 addresses. If Conditional Access policies block your IPv6 address, ask your tenant administrator to update the policy to allow your IPv6 address. Also, consider including the IPv4-mapped address for any default IPv6 address in all Conditional Access policy conditions.

If users access the Microsoft Entra sign-in page from a different IP address than the one used to access Azure DevOps resources (which can happen with VPN tunneling), review your VPN configuration or networking setup. Make sure your tenant administrator includes all relevant IP addresses in the Conditional Access policies.

Azure Resource Manager audience and Conditional Access policies

Azure DevOps doesn't depend on the Azure Resource Manager (ARM) resource (https://management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant that administrators had to allow all Azure DevOps users to bypass ARM Conditional Access policies to ensure access.

Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Conditional Access policies more effectively without configuring specific audience settings for ARM. This approach streamlines authentication, reduces token management complexity, and lets you apply security policies more consistently across your Azure environments. Organizations can focus on broader access controls, improving compliance and security posture without being limited by audience-specific configurations.

Policies by Level