Security

Update: Support for TLS 1.0/1.1 in Azure DevOps Services Extended

Justin Chung March 6, 2020 Mar 6, 2020 03/6/20

Unlike previously announced, we will not temporarily or permanently disable TLS 1.0 and TLS 1.1 in Azure DevOps Services until further notice.

Azure DevOps Services to require TLS 1.2 (Updated)

Justin Chung February 27, 2020 Feb 27, 2020 02/27/20

UPDATE: Based on customers' feedback, we have decided to postpone this change. We will not disable TLS 1.0/1.1 support for Azure DevOps Services until further notice.

Secure software supply chain with Azure Pipelines artifact policies

Vishal Jain November 6, 2019 Nov 6, 2019 11/6/19

New preview capabilities for Azure Pipelines let you define artifact policies that are enforced before deploying to critical environments such as production. You will be able to define custom policies that are evaluated against all the deployable artifacts in a given pipeline run and block the deployment if the artifacts don't comply.

Auditing for Azure DevOps is now in Public Preview

Octavio Licea Leon June 26, 2019 Jun 26, 2019 06/26/19

Auditing for Azure DevOps is now available for all organizations as a Public Preview! A new way to monitor activities and changes throughout Azure DevOps organizations.

New IP firewall rules for Azure DevOps Services

Whitney Jenkins May 31, 2019 May 31, 2019 05/31/19

Azure DevOps is currently investing in enhancing its routing structure. As a result of this enhancement, our IP address space will be changing. If you're currently using firewall rules to allow traffic to Azure DevOps, please be sure to update these rules to account for our new IP ranges.

Using AzureAD identities in Azure DevOps organizations backed by Microsoft Accounts

Justin Marks September 27, 2018 Sep 27, 2018 09/27/18

Azure DevOps now supports AzureAD (AAD) users accessing organizations that are backed by Microsoft accounts (MSA). For administrators, this means that if your organization uses MSAs for corporate users, new employees can use their AAD credentials for access instead of creating a new MSA identity.

Introducing Search service authentication to make communications with TFS more secure

Subrahmanya Srinivas September 13, 2018 Sep 13, 2018 09/13/18

Basic authorization is now enabled on the communication between the TFS and Search services to make it more secure.

A Microsoft DevSecOps Static Application Security Testing (SAST) Exercise

Michael C. Fanning August 21, 2018 Aug 21, 2018 08/21/18

Static Application Security Testing (SAST) is a critical DevSecOps practice. As engineering organizations accelerate continuous delivery to impressive levels, it’s important to ensure that continuous security validation keeps up. To do so most effectively requires a multi-dimensional application of static analysis tools. The more customizable the tool, the better you can shape it to your actual security risk.

Revoking potentially impacted tokens from ESLint vulnerability

Justin Marks August 8, 2018 Aug 8, 2018 08/8/18

On the 24th of July 2018, we notified some customers via e-mail and on this blog about a planned action that we would start taking in relation to the malicious ESLint NPM package incident. This action is now underway.

Enabling administrators to revoke VSTS access tokens

Justin Marks July 24, 2018 Jul 24, 2018 07/24/18

As promised in the Protecting our users from the ESLint NPM package breach blog post last week, we have deployed new REST APIs to allow administrators of Visual Studio Team Services (VSTS) accounts to centrally revoke Personal Access Tokens (PAT) and JSON Web Tokens (JWT) created by users in their accounts. We've reviewed our system ...

Azure DevOps Blog

Security - Azure DevOps Blog