Microsoft 365 Message Center Archive

MC1123830 - Microsoft Entra: Action Required – Update Conditional Access Policies for Azure DevOps Sign-ins

Message ID

MC1123830

View in Message Center

Service

Microsoft Entra

Last Updated

Sep 4, 2025

Published Jul 28, 2025

Tag

Major change
Updated message
Feature update
User impact
Admin impact

Act by

Sep 4, 2025

Summary

Microsoft Entra will stop applying Conditional Access policies via Azure Resource Manager for Azure DevOps sign-ins starting September 2, 2025, fully enforced by September 18. Organizations must update policies to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) to maintain secure access.

More information

Updated September 4, 2025: We have updated the timeline. Thank you for your patience.

Introduction

Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access.

When this will happen

This change will take effect starting September 2, 2025, and will be fully enforced by September 18, 2025 (previously September 4), across all environments.

How does this affect your organization?

If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).

  • Access controls such as MFA or compliant device requirements may not be enforced unless policies are updated.
  • If you already have a policy that targets all users and all cloud apps and does not explicitly exclude Azure DevOps, no action is required—Azure DevOps sign-ins will continue to be protected.
  • This change does not introduce any new user-facing experience or UI changes.
  • Sign-in activity can be monitored using Microsoft Entra ID sign-in logs.
  • Licensing requirement: Microsoft Entra ID P1 or P2 is required. There are no functional differences by license type. This is a feature change, not a new feature, so trial or preview options are not applicable.
  • Unlicensed users may also be impacted.
  • Existing Conditional Access policies will be affected, specifically those targeting the Windows Azure Service Management API.
  • A small subset of tenants may see the app name as "Microsoft Visual Studio Team Services" instead of "Azure DevOps"—the App ID remains the same.

 What do you need to do to prepare?

To ensure continued protection of Azure DevOps sign-ins, administrators should:

  • Review existing Conditional Access policies - Identify any policies that target the Windows Azure Service Management API.
  • Update policies to include Azure DevOps:
    • Go to the Entra admin center.
    • Navigate to Entra ID > Conditional Access > Policies.
    • Select the relevant policy.
    • Under Target resources, choose Select resources and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
    • Save the policy.
  • Use Entra ID group membership to scope policies to specific users or groups.
  • Monitor sign-in activity using Entra ID sign-in logs.
  • Review licensing requirements - Conditional Access requires Microsoft Entra ID P1 or higher. Organizations without the required license may explore trial options.

Learn more:

Compliance considerations

No compliance considerations identified, review as appropriate for your organization.