Supporting AzureAD Conditional Access Policy across VSTS

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP).  One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP.

As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users weren’t accessing development assets, such as source code, from outside corporate walls.  We have been partnering with the AzureAD team to provide an update to Active Directory Authentication Library (ADAL) allowing us to pass the client IP address of the client in our requests for a refresh token.  This will allow us to proactively block calls to VSTS that don’t meet the CAP IP policy.  Our plan is to deliver these changes during 2018 Q2.

While we wait for this gap to be filled, we provided APIs that administrators can use to audit activity within an account.  The APIs return the IP address and authentication mechanism used for each activity so that custom business logic can be written to monitor and flag abnormalities.  Caleb Cartwright has been experimenting with these APIs and has been gracious enough to share his sample on GitHub.

Author: Justin Marks (MSFT)

Justin Marks is a principal program manager at Microsoft working on identity management for Azure DevOps. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Justin previously worked on the Visual Studio Debugger, the Windows Shell (as both a software design engineer in test and a program manager) and on (as a systems engineer).