Improving the authentication experience for enterprises leveraging Conditional Access policies
As part of the Visual Studio 2019 16.6 update, we’ve introduced a set of new capabilities to improve your overall authentication experience. While these changes benefit all Visual Studio users, they are especially helpful if you need to work across Azure AD tenants that have enabled multi-factor authentication (MFA) policies. That’s because these improvements help preserve your authenticated state, which removes the need to re-enter your credentials outside your organization’s policy requirements.
With today’s demands for more secure environments, Conditional Access (CA) policies such as MFA have become more common place. Azure AD offers a wide range of CA policies to secure access to your resources, and while Visual Studio 2017 offered support for these policies, if you work across multiple MFA enabled tenants, you likely experienced the need to constantly re-enter your credentials inside Visual Studio. Today, I’ll show you how we’ve resolved the problem in the latest version of Visual Studio 2019.
System web browser authentication flow
Perhaps the most impactful change we made, is to allow you to use your system’s default web browser to authenticate your accounts. If you access resources across multiple tenants that enabled MFA policies, using this new flow should help minimize the need to re-enter credentials.
To enable this workflow, go to Visual Studio’s Options dialog (Tools > Options…), select the Accounts tab and pick System web browser under the Add and reauthenticate accounts using: dropdown:
Once the option is enabled, you can sign in or add accounts to Visual Studio as you normally would, via the Account Settings dialog (File > Account Settings…).
This action will open your system’s default web browser, ask you to sign into your account, and validate any pending MFA request.
While this will help minimize the need to re-enter your credentials, please note that Visual Studio may still prompt for credentials based on your company’s CA session management policies.
Individual tenant filtering
Previous versions of Visual Studio offered the option of scoping down to a single Azure AD tenant by applying a filter. While helpful, and since you couldn’t multi-select, you had to constantly switch your filter to fit your needs. In addition, your selection had no impact on your authentication experience, as you still needed to always authenticate against all your tenants.
You might be happy to know that we have redesigned the filtering experience. The new version allows you to multi-select tenants and it impacts your authentication experience. For example, applying a filter also removes the need to authenticate against tenants not selected by the filter, and also hides their respective resources from Visual Studio.
To filter out tenants, open the Account Settings dialog (File > Account Settings…) and click on Apply filter:
The Filter account dialog will appear, allowing you to select which tenants you want to use with your account:
Authenticate across all tenants on signing-in
Based on your company’s CA policies, tenants on your account could be associated with a very strict set of policies such as a specific IP range or a domain join requirement. If you already know you won’t be able to meet those requirements, attempting to authenticate against these tenants will negatively impact your productivity.
To avoid dealing with those tenants, you can now disable the “Authenticate across all Azure Active Directories on signing-in” option. Disabling the option allows you to only authenticate with your account’s default tenant (if you are using a Work or School account it will likely be the organization’s tenant), and ignore or filter out all other tenants. Consequentially, sign-in operations such as when launching Visual Studio, will be faster. However, it also means that you need to manually select any additional tenants you’d like to work with, allowing you to fully customize the tenants and resources that will show up in Visual Studio.
You can select this capability in the dialog that’s presented when you first launch Visual Studio:
You can also choose this option via the Options dialog (Tools > Options… > Accounts):
Try it out and let us know what you think!
We are eager to know how these features fit your workflow and account configurations. Send us feedback via the Developer Community portal, or via the Help > Send Feedback feature inside Visual Studio. We’d love to know how to further improve your experience!