Enabling administrators to revoke VSTS access tokens

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) organizations to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their organizations. We’ve reviewed our system telemetry and... Read More

2 Comments

Protecting our users from the ESLint NPM package breach

On the 12th of July 2018, malicious code was detected in two popular open-source NPM packages, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This may include credentials required to access package feeds hosted in Visual Studio Team Services. ... Read More

16 Comments

Supporting AzureAD Conditional Access Policy across VSTS

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP).  One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users... Read More

0 Comments

VSTS will no longer allow creation of new MSA users with custom domain names backed by AzureAD

3-28-2018 UPDATE : The deadline listed below has been extended to the end of September.  Read my latest blog post for more information. On September 15, 2016, the Azure Active Directory (Azure AD) team blocked the ability to create new Microsoft accounts using email addresses in domains that are configured in Azure AD. Many VSTS... Read More

6 Comments