Setting up AAD Policies in Azure DevOps
Recently we deployed Azure DevOps end to end at a customer environment and while deploying, we applied all necessary policies as per best practices. These policies can be applied by all customers and this blog aims to make it easier for our customers. The details are shared in a Q&A format for better understanding.
1. Who can set up these policies?
Identify a custodian user who would be managing Azure DevOps in your organization. The user can be same as your Azure Active Directory Administrator as well. Once, a user is identified we need to go to Azure Active Directory in Azure -> Roles and administrators -> All roles.
Then we filter for the role Azure DevOps Administrator as shown below and click on this to make an Active assignment or an Eligible assignment for the user.Â
Once the role assignment is complete, as shown below –
Now the user can set up the ADO policies at Azure Active Directory level.
2. Where can a user see these policies?
The policies are available at Organization Settings -> Azure Active Directory. A normal user can see the following screen in Azure Active Directory page in Azure DevOps.
An user with Azure DevOps Administrator in the tenant would see the following additional policies in Azure Active Directory page in Azure DevOps.
Restrict Org Creation
Restrict Global PAT Creation
Restrict Full-Scoped PAT Creation
Enforce Maximum PAT Lifespan
The policies are self-explanatory, and the Azure DevOps Administrator at tenant level can set these policies and these would be applicable for all users using Azure DevOps in the organization.
Light
Dark
0 comments