MC1123830 - Microsoft Entra: Action Required – Update Conditional Access Policies for Azure DevOps Sign-ins

Service

Microsoft Entra

Published

Jul 28, 2025

Tag

Major change
Feature update
User impact
Admin impact

Act by

Sep 4, 2025

Summary

Microsoft Entra requires updating Conditional Access policies by September 4, 2025, to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) for secure sign-ins. Policies targeting the Windows Azure Service Management API will no longer protect Azure DevOps access. Microsoft Entra ID P1 or higher license is needed.

More information

Introduction

Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access.

When this will happen

This change will take effect starting September 2, 2025, and will be fully enforced by September 4, 2025, across all environments.

How does this affect your organization?

If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).

  • Access controls such as MFA or compliant device requirements may not be enforced unless policies are updated.
  • If you already have a policy that targets all users and all cloud apps and does not explicitly exclude Azure DevOps, no action is required—Azure DevOps sign-ins will continue to be protected.
  • This change does not introduce any new user-facing experience or UI changes.
  • Sign-in activity can be monitored using Microsoft Entra ID sign-in logs.
  • Licensing requirement: Microsoft Entra ID P1 or P2 is required. There are no functional differences by license type. This is a feature change, not a new feature, so trial or preview options are not applicable.
  • Unlicensed users may also be impacted.
  • Existing Conditional Access policies will be affected, specifically those targeting the Windows Azure Service Management API.
  • A small subset of tenants may see the app name as "Microsoft Visual Studio Team Services" instead of "Azure DevOps"—the App ID remains the same.

 What do you need to do to prepare?

To ensure continued protection of Azure DevOps sign-ins, administrators should:

  • Review existing Conditional Access policies - Identify any policies that target the Windows Azure Service Management API.
  • Update policies to include Azure DevOps:
    • Go to the Entra admin center.
    • Navigate to Entra ID > Conditional Access > Policies.
    • Select the relevant policy.
    • Under Target resources, choose Select resources and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
    • Save the policy.
  • Use Entra ID group membership to scope policies to specific users or groups.
  • Monitor sign-in activity using Entra ID sign-in logs.
  • Review licensing requirements - Conditional Access requires Microsoft Entra ID P1 or higher. Organizations without the required license may explore trial options.

Learn more:

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.