{"id":71341,"date":"2025-06-25T10:24:26","date_gmt":"2025-06-25T18:24:26","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71341"},"modified":"2025-09-11T10:01:01","modified_gmt":"2025-09-11T18:01:01","slug":"removing-azure-resource-manager-reliance-on-azure-devops-sign-ins","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins\/","title":{"rendered":"Removing Azure Resource Manager reliance on Azure DevOps sign-ins"},"content":{"rendered":"

Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https:\/\/management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to satisfy ARM-based Conditional Access policies<\/a> to maintain access to ADO.<\/p>\n

Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Azure DevOps access more effectively by creating Azure DevOps-specific Conditional Access policy instead of relying on the ARM Conditional Access policy to enforce access controls on ADO usage. These changes will go into effect on July 28, 2025<\/del> September 2, 2025 and make it to all organizations by September 18, 2025.<\/strong><\/p>\n

Does this impact me?<\/h2>\n

If you have previously set up a Conditional Access policy for Windows Azure Service Management API application<\/a>, this Conditional Access policy no longer covers Azure DevOps signins. You will need to setup a new ADO-exclusive Conditional Access policy in order to get continued coverage of Azure DevOps. \u00a0<\/p>\n

How do I set up a Conditional Access policy for Azure DevOps?<\/h2>\n

As a tenant admin, you can use Conditional Access policies<\/a> to block or grant user access to Azure resources if they meet certain conditions (e.g. have an accepted IP address, belong to specific Entra groups, access from a given device, etc.) or complete actions like multifactor authentication.<\/p>\n

To create a conditional access policy that targets the Azure DevOps resource specifically:<\/p>\n

    \n
  1. Go to the Azure Portal<\/strong><\/a> and find the “Microsoft Entra Conditional Access”<\/strong> service. <\/li>\n
  2. Select “Policies”<\/strong> on the right sidebar. <\/li>\n
  3. Select the “+ New policy”<\/strong> button. <\/li>\n
  4. Provide the policy a name and configure other settings as desired. <\/li>\n
  5. For the “Target resources”<\/strong> assignments, toggle “Select resources”<\/strong> and add the “Microsoft Visual Studio Team Services”<\/strong> or “Azure DevOps”<\/strong> resource (resource id: 499b84ac-1321-427f-aa17-267ca6975798<\/code>) to the list of target resources. <\/li>\n
  6. Select Save<\/strong> to apply this new policy.<\/li>\n<\/ol>\n

    \"Setup<\/a><\/p>\n

    Learn more about the different flavors of Conditional Access policies you can set by reading the Microsoft Entra docs<\/a>.<\/p>\n

    Notable exceptions<\/h3>\n

    Continued access to ARM is still required for the following Azure DevOps users:<\/p>\n

      \n
    • Billing administrators<\/strong> need access to ARM to set up billing and access subscriptions.<\/li>\n
    • Service Connection creators<\/strong> require access to ARM for ARM role assignments and updates to managed service identities (MSIs).<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

      Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https:\/\/management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to satisfy ARM-based Conditional Access policies to […]<\/p>\n","protected":false},"author":43580,"featured_media":71827,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,1,251],"tags":[],"class_list":["post-71341","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops","category-security"],"acf":[],"blog_post_summary":"

      Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https:\/\/management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to satisfy ARM-based Conditional Access policies to […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/43580"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71341"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71341\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71827"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}