Microsoft Entra requires updating Conditional Access policies by September 4, 2025, to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) for secure sign-ins. Policies targeting the Windows Azure Service Management API will no longer protect Azure DevOps access. Microsoft Entra ID P1 or higher license is needed.
Introduction
Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access.
When this will happen
This change will take effect starting September 2, 2025, and will be fully enforced by September 4, 2025, across all environments.
How does this affect your organization?
If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
What do you need to do to prepare?
To ensure continued protection of Azure DevOps sign-ins, administrators should:
Learn more:
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.