Setting up AAD Policies in Azure DevOps

Deepak Kumar Mishra

Recently we deployed Azure DevOps end to end at a customer environment and while deploying, we applied all necessary policies as per best practices. These policies can be applied by all customers and this blog aims to make it easier for our customers. The details are shared in a Q&A format for better understanding.

1. Who can set up these policies?

Identify a custodian user who would be managing Azure DevOps in your organization. The user can be same as your Azure Active Directory Administrator as well. Once, a user is identified we need to go to Azure Active Directory in Azure -> Roles and administrators -> All roles.

Then we filter for the role Azure DevOps Administrator as shown below and click on this to make an Active assignment or an Eligible assignment for the user. 

Image AzureDevOpsAdministrator

Once the role assignment is complete, as shown below –

Image RoleAssignment

Now the user can set up the ADO policies at Azure Active Directory level.

2. Where can a user see these policies?

The policies are available at Organization Settings -> Azure Active Directory. A normal user can see the following screen in Azure Active Directory page in Azure DevOps.

Image AADNormalUser

An user with Azure DevOps Administrator in the tenant would see the following additional policies in Azure Active Directory page in Azure DevOps.

Restrict Org Creation

Restrict Global PAT Creation

Restrict Full-Scoped PAT Creation

Enforce Maximum PAT Lifespan

Image AADADOAdmin

The policies are self-explanatory, and the Azure DevOps Administrator at tenant level can set these policies and these would be applicable for all users using Azure DevOps in the organization.


Discussion is closed.

Feedback usabilla icon