Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https://management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to satisfy ARM-based Conditional Access policies to maintain access to ADO.
Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Azure DevOps access more effectively by creating Azure DevOps-specific Conditional Access policy instead of relying on the ARM Conditional Access policy to enforce access controls on ADO usage. These changes will go into effect on July 28, 2025 September 2, 2025.
Does this impact me?
If you have previously set up a Conditional Access policy for Windows Azure Service Management API application, this Conditional Access policy no longer covers Azure DevOps signins. You will need to setup a new ADO-exclusive Conditional Access policy in order to get continued coverage of Azure DevOps. Â
How do I set up a Conditional Access policy for Azure DevOps?
As a tenant admin, you can use Conditional Access policies to block or grant user access to Azure resources if they meet certain conditions (e.g. have an accepted IP address, belong to specific Entra groups, access from a given device, etc.) or complete actions like multifactor authentication.
To create a conditional access policy that targets the Azure DevOps resource specifically:
- Go to the Azure Portal and find the “Microsoft Entra Conditional Access” service.
- Select “Policies” on the right sidebar.
- Select the “+ New policy” button.
- Provide the policy a name and configure other settings as desired.
- For the “Target resources” assignments, toggle “Select resources” and add the “Microsoft Visual Studio Team Services” or “Azure DevOps” resource (resource id:
499b84ac-1321-427f-aa17-267ca6975798) to the list of target resources. - Select Save to apply this new policy.
Learn more about the different flavors of Conditional Access policies you can set by reading the Microsoft Entra docs.
Notable exceptions
Continued access to ARM is still required for the following Azure DevOps users:
- Billing administrators need access to ARM to set up billing and access subscriptions.
- Service Connection creators require access to ARM for ARM role assignments and updates to managed service identities (MSIs).
General Office Sales Force Manager Admin AIM Data Base Google Developers Full Stack System Engineering Google Android Personality Security System Support Google IDF The Guardians Angel Meta Business Suite Support Com Garuda Putra Satria Ardjuna Affandy Abdul Rahman Saleh Lee Ully Artha Graha Rumah Pempek Farhan Palembang Dieng Resto 86A Jalan Pisang Candi Barat Nomor 86A RT07 RW04 Kelurahan Pisang Candi Kecamatan Sukun SUKUN Kota Madya Malang Jawa Timur Kode Pos 65146 Malang City Point East Java Nesa Majapahit Indonesia Thank You Soo Much For My Queen Miss Angel Wong
On the notable exceptions, requiring access to ARM, is this evaluated during the initial sign in or when access to the appropriate function is initiated. Currently users can just remove “&resource=https%3A%2F%2Fmanagement.core.windows.net” from the SSO URL and this dependency doesn’t trigger.
Hello Angel,
if this works the way I hope it does, then you’ve just made my day!
Thanks
Frank