New Rules for Azure DevOps: How to Set Up Conditional Access

If you look after Azure DevOps in your organisation, there’s an important change you need to know about. From 28 July 2025, Azure DevOps will no longer rely on Azure Resource Manager (ARM) for sign-ins or token refresh. This means any Conditional Access policies you’ve set up that target ARM won’t protect Azure DevOps any more.

To keep your environment secure, you’ll need to create new Conditional Access policies that specifically target Azure DevOps.

Conditional Access is how most of us enforce things like multi-factor authentication, location restrictions, or device compliance for cloud services. If you don’t update your policies, users could end up bypassing your security controls when accessing Azure DevOps.

The good news is that updating your setup is straightforward, and Microsoft has provided clear instructions.

Here’s how to make sure your organisation stays protected:

1. Go to Conditional Access in Entra ID

Open the Azure portal and head to Microsoft Entra ID > Protection > Conditional Access > Policies.

2. Create a New Policy

Click on New policy and give it a clear name, for example, “ADO CAP Policy”.

3. Assign Users or Groups

Choose which users or groups this policy should apply to. For most, this will be everyone who needs access to Azure DevOps.

4. Target Azure DevOps as a Resource

Under Target resources, select Select resources, then add Microsoft Visual Studio Team Services. This is the service name for Azure DevOps.

Your policy set-up should look something like this:

Screenshot of Conditional Access policy targeting Azure DevOps

5. Configure Conditions and Access Controls

Set any conditions you need, such as device platform, location, or sign-in risk. Then choose your access controls, for example, requiring multi-factor authentication.

6. Enable the Policy

Start with Report-only mode to monitor the impact without blocking anyone. Once you’re happy, switch it to On.

• Test with a small group first to make sure everything works as expected.
• Communicate with your users so they know about any new sign-in requirements.
• Keep an eye on sign-in logs and policy impact reports in Entra ID.
• Review your old ARM-based policies and update or retire them as needed.

Cloud security is always changing, and this update is a good example of why it pays to stay on top of the details. A bit of work now will save you hassle later and keep your Azure DevOps environment secure.

If you want more detail, Microsoft’s official documentation has everything you need: Azure DevOps Conditional Access Policies