IPv6 fencing Conditional Access Policies now supported

Angel Wong

Companies are placing increasing importance on ensuring that only authorized team members are allowed to access valuable company resources on Azure DevOps. One such way they have been able to do so is through conditional access policies (CAPs) they have set in Azure Active Directory (Azure AD). Such CAPs allow organizations to set rules that restrict who can actually use Azure DevOps based on how the inbound user is accessing the resource (e.g. which location, what device type, etc.). Previously, Azure DevOps has only supported IP fencing policies based on IPv4 addresses for web and alternate authentication flows, i.e. PATs and SSH keys.

We are now extending our CAP support to also include IPv6 fencing policies. As we see people increasingly access Azure DevOps resources on devices from IPv6 addresses, we want to ensure that your teams are equipped to grant and remove access from any IP address.

As a reminder, to ensure that IP fencing policies are enforced for PATs and SSH keys, CAP support must be enabled in both Azure AD and Azure DevOps.

  • To learn more about the type of conditional access policies available in Azure AD and how to manage them, read up on conditional access policies in the Azure AD documentation.
  • To enable IP fencing support within Azure DevOps, set “Enable Azure Active Directory Conditional Access Policy Validation” on within the Policies page of your Organization Settings. (Note: If CAP is enabled within Azure AD only, Azure DevOps will only enforce CAPs for the web flow.)

For users who already have CAPs enabled in both Azure AD and Azure DevOps, you will now see IPv6 addresses abiding by any conditional access policies as defined by your tenant within Azure AD.

Previously, any inbound IPv6 traffic was allowed into Azure DevOps. This no longer holds with this update. Let’s say you have a conditional access policy defined that restricts access to a limited range of IPv4 addresses, IPv6 devices that were previously able to access your organization’s resources will now find their access restricted. To enable access for these devices moving forward, you must edit your CAP configuration to include the newly allowed IPv6 ranges.

You should see this change rolled out to all organizations within the coming month. We hope this update will help your teams remain secure against unauthorized access. Let us know what you think about this update and other CAP-related updates you’d like to see in Azure DevOps in the comments section below.


Discussion is closed.

Feedback usabilla icon