Using AzureAD identities in Azure DevOps organizations backed by Microsoft Accounts

Azure DevOps now supports AzureAD (AAD) users accessing organizations that are backed by Microsoft accounts (MSA). For administrators, this means that if your organization uses MSAs for corporate users, new employees can use their AAD credentials for access instead of creating a new MSA identity. Using this feature doesn’t require any special configuration.  Just like... Read More

16 Comments

A Microsoft DevSecOps Static Application Security Testing (SAST) Exercise

Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your... Read More

2 Comments

Enabling administrators to revoke VSTS access tokens

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) organizations to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their organizations. We’ve reviewed our system telemetry and... Read More

2 Comments

Protecting our users from the ESLint NPM package breach

On the 12th of July 2018, malicious code was detected in two popular open-source NPM packages, eslint-scope (version 3.7.2) and eslint-config-eslint (version 5.0.2). As a result, developers who downloaded and installed these packages may have had credentials stored in their .npmrc file compromised. This may include credentials required to access package feeds hosted in Visual Studio Team Services. ... Read More

16 Comments

Supporting AzureAD Conditional Access Policy across VSTS

In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP).  One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users... Read More

0 Comments