Supporting AzureAD Conditional Access Policy across VSTS
In February 2017, VSTS announced support for Azure Active Directory Conditional Access Policy (CAP). One caveat that was called out in that announcement was that alternate authentication mechanisms, such as personal access tokens, would not enforce CAP.
As I discussed previously, many VSTS administrators gave us feedback that they need a way to ensure their users weren’t accessing development assets, such as source code, from outside corporate walls. We have been partnering with the AzureAD team to provide an update to Active Directory Authentication Library (ADAL) allowing us to pass the client IP address of the client in our requests for a refresh token. This will allow us to proactively block calls to VSTS that don’t meet the CAP IP policy. Our plan is to deliver these changes during 2018 Q2.
While we wait for this gap to be filled, we provided APIs that administrators can use to audit activity within an account. The APIs return the IP address and authentication mechanism used for each activity so that custom business logic can be written to monitor and flag abnormalities. Caleb Cartwright has been experimenting with these APIs and has been gracious enough to share his sample on GitHub.