{"id":2160,"date":"2025-06-25T18:24:26","date_gmt":"2025-06-25T18:24:26","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/06\/25\/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins\/"},"modified":"2025-06-25T18:24:26","modified_gmt":"2025-06-25T18:24:26","slug":"removing-azure-resource-manager-reliance-on-azure-devops-sign-ins","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/06\/25\/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins\/","title":{"rendered":"Removing Azure Resource Manager reliance on Azure DevOps sign-ins"},"content":{"rendered":"<p>Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https:\/\/management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to bypass ARM-based Conditional Access policies (CAPs) to maintain access to ADO.<\/p>\n<p>Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Azure DevOps access more effectively by creating Azure DevOps-specific CAPs instead of relying on the ARM CAP to block ADO usage. <strong>These changes will go into effect on July 28, 2025.<\/strong><\/p>\n<h2>Does this impact me?<\/h2>\n<p>If you have previously set up a <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-conditional-access-cloud-apps#windows-azure-service-management-api\">Conditional Access Policy (CAP) for Windows Azure Service Management API application<\/a>, or any of its associated applications:<\/p>\n<p>Azure Resource Manager (ARM)<br \/>\nAzure portal, which also covers the Microsoft Entra admin center<br \/>\nAzure Data Lake<br \/>\nApplication Insights API<br \/>\nLog Analytics API<\/p>\n<p>This Conditional Access Policy no longer covers Azure DevOps signins. You will need to setup a new ADO-exclusive CAP in order to get continued CAP coverage of Azure DevOps. \u00a0<\/p>\n<h2>How do I set up a CAP for Azure DevOps?<\/h2>\n<p>As a tenant admin, you can use <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/overview\">Conditional Access policies (CAPs)<\/a> to block or grant user access to Azure resources if they meet certain conditions (e.g. have an accepted IP address, belong to specific Entra groups, access from a given device, etc.) or complete actions like multifactor authentication.<\/p>\n<p>To create a conditional access policy that targets the Azure DevOps resource specifically:<\/p>\n<p>Go to the <a href=\"https:\/\/portal.azure.com\/\"><strong>Azure Portal<\/strong><\/a> and find the <strong>\u201cMicrosoft Entra Conditional Access\u201d<\/strong> service.<br \/>\nSelect <strong>\u201cPolicies\u201d<\/strong> on the right sidebar.<br \/>\nSelect the <strong>\u201c+ New policy\u201d<\/strong> button.<br \/>\nProvide the policy a name and configure other settings as desired.<br \/>\nFor the <strong>\u201cTarget resources\u201d<\/strong> assignments, toggle <strong>\u201cSelect resources\u201d<\/strong> and add the <strong>\u201cMicrosoft Visual Studio Team Services\u201d<\/strong> resource (resource id: 499b84ac-1321-427f-aa17-267ca6975798) to the list of target resources.<br \/>\nSelect <strong>Save<\/strong> to apply this new CAP.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/ADO-CAP-1.png\"><\/a><\/p>\n<p>Learn more about the different flavors of conditional access policies you can set by reading the <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/\">Microsoft Entra Conditional Access documentation<\/a>.<\/p>\n<h3>Notable exceptions<\/h3>\n<p>Continued access to ARM is still required for the following Azure DevOps users:<\/p>\n<p><strong>Billing administrators<\/strong> need access to ARM to set up billing and access subscriptions.<br \/>\n<strong>Service Connection creators<\/strong> require access to ARM for ARM role assignments and updates to managed service identities (MSIs).<\/p>\n<p>For users who regularly conduct these actions, it may be worth adding them as exclusions to any ARM \/ Windows Azure Service Management API CAPs.<\/p>\n<p>The post <a href=\"https:\/\/devblogs.microsoft.com\/devops\/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins\/\">Removing Azure Resource Manager reliance on Azure DevOps sign-ins<\/a> appeared first on <a href=\"https:\/\/devblogs.microsoft.com\/devops\">Azure DevOps Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https:\/\/management.azure.com) when you sign in or refresh [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2161,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=2160"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/2160\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/2161"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=2160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=2160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=2160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}