{"id":40355,"date":"2018-01-30T19:41:05","date_gmt":"2018-01-30T19:41:05","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/devops\/?p=40355"},"modified":"2019-02-14T15:50:18","modified_gmt":"2019-02-14T23:50:18","slug":"supporting-azuread-conditional-access-policy-across-vsts","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/supporting-azuread-conditional-access-policy-across-vsts\/","title":{"rendered":"Supporting AzureAD Conditional Access Policy across VSTS"},"content":{"rendered":"<p>In February 2017, <a href=\"https:\/\/docs.microsoft.com\/en-us\/vsts\/release-notes\/2017\/feb-15-team-services#support-for-aad-conditional-access\">VSTS announced support for Azure Active Directory Conditional Access Policy<\/a>\u00a0(CAP).\u00a0 One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP.<\/p>\n<p>As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users weren&#8217;t accessing development assets, such as source code, from outside corporate walls.\u00a0 We have been partnering with the AzureAD team to provide an update to Active Directory Authentication Library (ADAL) allowing us to pass the client IP address of the client in our requests for a refresh token.\u00a0 This will allow us to proactively block calls to VSTS that don&#8217;t meet the CAP IP policy.\u00a0 Our plan is to deliver these changes during 2018 Q2.<\/p>\n<p>While we wait for this gap to be filled, we provided APIs that administrators can use to audit activity within an account.\u00a0 The APIs return the IP address and authentication mechanism used for each activity so that custom business logic can be written to monitor and flag abnormalities.\u00a0 Caleb Cartwright has been experimenting with these APIs and has been gracious enough to share his <a href=\"https:\/\/github.com\/swellaby\/vsts-traffic-monitor\">sample on GitHub<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy\u00a0(CAP).\u00a0 One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users [&hellip;]<\/p>\n","protected":false},"author":174,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[228,1,251],"tags":[],"class_list":["post-40355","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-admin-licensing","category-devops","category-security"],"acf":[],"blog_post_summary":"<p>In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy\u00a0(CAP).\u00a0 One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP. As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/40355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/174"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=40355"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/40355\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=40355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=40355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=40355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}