Let’s be honest—when something just works, it’s easy to forget what’s happening behind the scenes. That’s often the case with Conditional Access in Microsoft Entra. But sometimes, the rules change—and it’s up to us to act before it impacts our users.

Here’s one of those moments.

🚨 What’s going on?

Microsoft is changing how Conditional Access (CA) applies to Azure DevOps sign-ins. Starting September 4, 2025, the protections we’ve long relied on—those tied to the Windows Azure Service Management API—will no longer cover Azure DevOps access.

To stay secure, you now need to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) in your Conditional Access policies.

This is a quiet but important shift. If your organization uses Azure DevOps (and who doesn’t these days?), ignoring this could leave a critical service open to sign-ins without MFA, without device compliance checks, or worse—without any policy applied at all.

💡 Why this matters

I like to think of Conditional Access as the digital equivalent of a security checkpoint. But what if the entrance changed and the checkpoint didn’t move with it? That’s what’s happening here.

Until now, Azure DevOps was “covered” because it used the Azure Resource Manager path for authentication. But Microsoft is decoupling that. From September 4 onwards, you must target Azure DevOps directly—or you’ll miss it entirely.

🧭 What you need to do

Don’t worry—this won’t take long. Here’s how to make sure your security policies keep working as expected:

1. Review your current Conditional Access policies

• Specifically check if any of them target the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013).
• These policies will no longer apply to Azure DevOps.

2. Update those policies to include Azure DevOps

• Go to the Microsoft Entra admin center.
• Navigate to Entra ID > Conditional Access > Policies.
• Select the relevant policy.
• Under Target resources, click Select apps and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
• Save your changes.

3. Use sign-in logs to verify

• Go to Entra ID > Monitoring > Sign-in logs to track whether Azure DevOps sign-ins are being evaluated correctly by the updated policies.

4. Check your licensing

• You’ll need Microsoft Entra ID P1 or P2 to use Conditional Access. If you’re unsure, this is a great time to review your current setup.

👀 A few things to keep in mind

• If your policies already target all users and all cloud apps, and you haven’t excluded Azure DevOps, you’re probably good. Still worth double-checking.
• In some tenants, the app might show up as Microsoft Visual Studio Team Services—but the App ID is the same.
• This change doesn’t affect user experience or the UI—it’s purely a policy targeting update.

🗣️ My advice: Don’t delay

This update is a small change with big implications. You don’t want to be the admin who finds out too late that MFA wasn’t enforced for DevOps.

So grab a coffee, open your Entra admin center, and check those CA policies. It’ll take you 10 minutes—but it could save your team hours of troubleshooting and risk management down the line.

And if you’re working in a team: share this post with your fellow admins or your security lead. Let’s keep each other sharp..

We’ve got this—let’s stay secure together. 💪ecure, and scalable IoT system, Azure gives you one of the most complete platforms available today.

About the Author

Rene Vlieger

MVP | MCT | MS365NEWS.COM | Consultancy | Pre-Sales | Compliance | Governance | Security | Copilot | Microsoft 365

Reference:

Vlieger, R (2025). Lock It Down: Protect Azure DevOps with CA. Available at: Lock It Down: Protect Azure DevOps with CA [Accessed: 7th August 2025].