Source: Microsoft Learn: Build skills that open doors in your career
Author: chcomley
URL: https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/conditional-access-policies?view=azure-devops
ONE SENTENCE SUMMARY:
Microsoft Entra ID enables tenant admins to control user access to resources through Conditional Access policies with specific conditions.
MAIN POINTS:
- Tenant admins use Conditional Access to control access to Microsoft resources.
- Access is based on conditions like group membership, location, and device.
- Policies can require multifactor authentication or block access.
- Policies are set in the Azure portal through “Microsoft Entra Conditional Access.”
- Azure DevOps requires specific Conditional Access settings.
- Entra ID checks all Conditional Access policies during web sign-ins.
- PATs must meet sign-in policies on REST API calls.
- Azure DevOps supports IP fencing policies for IPv4 and IPv6.
- ARM Conditional Access policies no longer cover Azure DevOps sign-ins.
- ARM access is still required for billing and service connection roles.
TAKEAWAYS:
- Admins have granular control over resource access using Conditional Access.
- Azure DevOps requires a new specific Conditional Access policy.
- Multifactor authentication is enforceable for web flows.
- IP fencing policies enhance security for non-interactive flows.
- ARM policies must be adjusted for roles needing continued access.