{"id":72539,"date":"2026-03-11T15:46:28","date_gmt":"2026-03-11T23:46:28","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=72539"},"modified":"2026-04-15T09:50:19","modified_gmt":"2026-04-15T17:50:19","slug":"temporary-rollback-build-identities-can-access-advanced-security-read-alerts-again","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/temporary-rollback-build-identities-can-access-advanced-security-read-alerts-again\/","title":{"rendered":"Temporary rollback: build identities can access Advanced Security: read alerts again"},"content":{"rendered":"

If you use build service identities like Project Collection Build Service<\/code> to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269<\/a> broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations.<\/p>\n

We’re rolling it back temporarily. The restriction will be re-enforced on May 15, 2026.<\/strong><\/p>\n

What you should do<\/h2>\n

Action is required. The recommended path is a service principal with Advanced Security: Read alerts<\/strong> permissions for your Advanced Security-enabled repositories. Scope it narrowly, and if the service principal isn’t committing code, it won’t consume an Advanced Security committer license.<\/p>\n

Status checks in Sprint 272<\/h3>\n

We’re also shipping status checks<\/strong> soon, which give teams a native way to gate on security posture without API-driven alert mutations from pipeline identities.<\/p>\n

April 15, 2026 update:<\/strong> the rollout of this feature has been delayed and will now be rolled out early to mid-May, ahead of the permission restriction date.<\/p>\n

\"ado<\/a><\/p>\n

This won’t replace every automation scenario, though it enables pull request-time blocking on the presence of high and critical alerts.<\/p>\n

Have feedback or hitting gaps moving to a service principal? Let us know<\/a>.<\/p>\n

\n

Action required by April 15<\/strong>: move API automation to a service principal with Advanced Security: Read alerts<\/strong> or watch for status checks in Sprint 272.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you use build service identities like Project Collection Build Service to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269 broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations. We’re rolling […]<\/p>\n","protected":false},"author":177424,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[226,1,251],"tags":[],"class_list":["post-72539","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ci","category-devops","category-security"],"acf":[],"blog_post_summary":"

If you use build service identities like Project Collection Build Service to call Advanced Security APIs, the Advanced Security permission changes in Sprint 269 broke that. We restricted API access for build identities as a security improvement but failed to provide an early notice for customers that relied upon this for various automations. We’re rolling […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/177424"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=72539"}],"version-history":[{"count":1,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72539\/revisions"}],"predecessor-version":[{"id":72672,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72539\/revisions\/72672"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=72539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=72539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=72539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}