Supporting AzureAD Conditional Access Policy across VSTS

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP).  One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP.

As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users weren’t accessing development assets, such as source code, from outside corporate walls.  We have been partnering with the AzureAD team to provide an update to Active Directory Authentication Library (ADAL) allowing us to pass the client IP address of the client in our requests for a refresh token.  This will allow us to proactively block calls to VSTS that don’t meet the CAP IP policy.  Our plan is to deliver these changes during 2018 Q2.

While we wait for this gap to be filled, we provided APIs that administrators can use to audit activity within an account.  The APIs return the IP address and authentication mechanism used for each activity so that custom business logic can be written to monitor and flag abnormalities.  Caleb Cartwright has been experimenting with these APIs and has been gracious enough to share his sample on GitHub.

Author: Justin Marks (MSFT)

Justin Marks is a principal program manager at Microsoft working on identity management in Visual Studio Team Services. For the previous 7 years, Justin was part of the agile tooling space where he worked on all aspects of the work tracking system including process customization, the reporting stack, REST APIs, and collaboration experiences including team room, agile tooling and lightweight requirements management. Before working on VSTS, Justin worked on the Visual Studio debugger delivering the end-to-end IntelliTrace experience. During his 15 years at Microsoft, Justin has also worked on as a Systems Engineer during the version 8 and 9 product cycles and on the Windows Shell as both a Software Design Engineer in Test and a Program Manager during Vista and Windows 7.