Enable Conditional Access for Azure DevOps

In this blog, let me show you how to restrict accessing Azure DevOps within the Azure cloud environment or within Organization. Enabling conditional access helps organizations restrict access within their project environment, and developers cannot access it outside of the project environment.

Pre-requisite:

  • Azure AD P1 license (Minimum) is required for enabling the Azure AD conditional access. We can enable Azure AD P2 trial license for 30 days, if required.
  •  Azure DevOps should be connected to the Azure AD tenant. After its registered, you will be Azure DevOps in Enterprise apps in Azure AD. If it’s not connected, login into Azure DevOps with administrator account and click organization, select Azure AD, and click connect directory. Please refer to the image below.
  • Enable Azure AD conditional access policy validation in Azure DevOps. To enable it, login to Azure DevOps with administrator account and click organization, select policies, and turn on that value for “Enable Azure Active Directory Conditional Access Policy Validation.”
  • The outbound access for users/servers in the organization or the cloud environment should be routed via a firewall or network appliance with public Ip address.
  • If this is the first conditional access policy for Azure AD, we need to disable the manage security defaults. Log in to the Azure portal, select Azure AD, click properties, select Manage security defaults, and click NO. Choose the checkbox to accept that “My organization is using Conditional Access” and then click the “Save” button.

Implementation

  1. From the Azure Active Directory console, select the Security tab and select the Conditional Access tab. Now select the Named Location blade and then click the “+ New Location” button on this tab. Give a meaningful name and provide the public IP address of the network appliance of the organization or the cloud environment.
  2. Let’s create a conditional access policy. Select Azure Active Directory -> Security -> Conditional Access. Click the “+New Policy” button to create a new conditional access policy. Give a meaningful name to the policy.
  3.  On the “Users and Groups,” select the “All Users.” If you require to provide an exemption for any users, add them in exclude tab.
  4. On the cloud apps or actions, select Azure DevOps from the list of applications.
  5. On the Conditions blade, select Location blade. Set the “Configure” options to “Yes.” Under the Include tab, set the choice of “Any Location.” Under the Exclude tab, select the option of Selected Location to select the named location created earlier in step one.
  6. Under the “Access Control”, select “Block Access.” It will ensure that the access of Azure DevOps is to block access with an exception only from the organization or cloud environment by choosing the named location.
  7. On the enable policy, Select the “On” and click the save to create this policy. If this console throws an error, please verify the last step on the pre-requisite. 
  8. Now we are ready to test the Azure DevOps from the organization or the cloud environment, which will work and try from outside of the organization or the cloud environment which will block your access.

I hope this post helps restrict the access of Azure DevOps within your organization or the cloud environment.