check before: 2025-09-04
Product:
Entra, Microsoft 365 admin center, Microsoft 365 Apps, Windows
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message, User impact
Links:
Details:
Summary:
Microsoft Entra will stop applying Conditional Access policies via Azure Resource Manager for Azure DevOps sign-ins starting September 2, 2025, fully enforced by September 18. Organizations must update policies to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) to maintain secure access.
Details:
Updated September 4, 2025: We have updated the timeline. Thank you for your patience.
Introduction
Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access.
When this will happen
This change will take effect starting September 2, 2025, and will be fully enforced by September 18, 2025 (previously September 4), across all environments.
How does this affect your organization?
If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
Access controls such as MFA or compliant device requirements may not be enforced unless policies are updated.
If you already have a policy that targets all users and all cloud apps and does not explicitly exclude Azure DevOps, no action is required-Azure DevOps sign-ins will continue to be protected.
This change does not introduce any new user-facing experience or UI changes.
Sign-in activity can be monitored using Microsoft Entra ID sign-in logs.
Licensing requirement: Microsoft Entra ID P1 or P2 is required. There are no functional differences by license type. This is a feature change, not a new feature, so trial or preview options are not applicable.
Unlicensed users may also be impacted.
Existing Conditional Access policies will be affected, specifically those targeting the Windows Azure Service Management API.
A small subset of tenants may see the app name as "Microsoft Visual Studio Team Services" instead of "Azure DevOps"-the App ID remains the same.
What do you need to do to prepare?
To ensure continued protection of Azure DevOps sign-ins, administrators should:
Review existing Conditional Access policies - Identify any policies that target the Windows Azure Service Management API.
Update policies to include Azure DevOps:
Go to the Entra admin center.
Navigate to Entra ID > Conditional Access > Policies.
Select the relevant policy.
Under Target resources, choose Select resources and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
Save the policy.
Use Entra ID group membership to scope policies to specific users or groups.
Monitor sign-in activity using Entra ID sign-in logs.
Review licensing requirements - Conditional Access requires Microsoft Entra ID P1 or higher. Organizations without the required license may explore trial options.
Learn more:
Removing Azure Resource Manager reliance on Azure DevOps sign-ins | Azure DevOps Blog
What is Conditional Access? | Conditional Access | Microsoft Entra ID | Microsoft Learn
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-07-29
updated:
2025-09-05
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Loss of Access Control
If Conditional Access policies are not updated, Azure DevOps sign-ins may not enforce MFA or compliant device requirements, leading to potential unauthorized access.
- roles: IT Administrators, Security Officers
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/
Increased Security Risks
Unprotected access to Azure DevOps could expose sensitive data and increase the risk of security breaches if policies are not updated.
- roles: IT Administrators, Compliance Officers
- references: https://learn.microsoft.com/entra/identity/conditional-access/overview
User Experience Disruption
Users may experience sign-in failures or access issues if their accounts are not covered by updated Conditional Access policies, impacting productivity.
- roles: End Users, IT Support Staff
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/
Licensing Issues
Organizations without the required Microsoft Entra ID P1 or higher may face access issues, affecting users' ability to sign in to Azure DevOps.
- roles: IT Administrators, Finance Officers
- references: https://learn.microsoft.com/entra/identity/conditional-access/overview
Monitoring Challenges
Without updated policies, monitoring sign-in activity may become ineffective, making it difficult to track unauthorized access attempts.
- roles: Security Officers, IT Administrators
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Monitoring
With the update to Conditional Access policies, organizations can implement more granular security controls by explicitly including Azure DevOps in their policies. This allows for improved monitoring of sign-in activities and potential security threats related to Azure DevOps access.
- next-steps: Administrators should review current Conditional Access policies and integrate Azure DevOps explicitly. Utilize the Entra ID sign-in logs for monitoring and reporting purposes.
- roles: IT Security Manager, Compliance Officer, System Administrator
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/, https://learn.microsoft.com/entra/identity/conditional-access/overview
User Access Management Optimization
By scoping Conditional Access policies to specific user groups, organizations can optimize user access management, ensuring that only the necessary personnel have access to Azure DevOps, thereby reducing the risk of unauthorized access.
- next-steps: Utilize Entra ID group memberships to define and scope Conditional Access policies to relevant user groups, and regularly review group memberships for accuracy.
- roles: IT Administrator, HR Manager, Project Manager
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/, https://learn.microsoft.com/entra/identity/conditional-access/overview
Cost Management through Licensing Review
As organizations prepare for the changes in Conditional Access, they have an opportunity to review their licensing requirements and ensure they are not overspending on unnecessary licenses. Organizations can explore trial options for Microsoft Entra ID P1 or P2 if they are currently unlicensed.
- next-steps: Conduct an audit of current licenses to assess compliance with the new requirements and identify any potential cost-saving opportunities by adjusting license levels or consolidating licenses where possible.
- roles: Finance Manager, IT Manager, Compliance Officer
- references: https://devblogs.microsoft.com/devops/removing-azure-resource-manager-reliance-on-azure-devops-sign-ins/, https://learn.microsoft.com/entra/identity/conditional-access/overview
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-09-05 | MC MessageTagNames | Feature update, User impact, Admin impact | Updated message, Feature update, User impact, Admin impact |
| 2025-09-05 | MC Summary | Microsoft Entra requires updating Conditional Access policies by September 4, 2025, to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) for secure sign-ins. Policies targeting the Windows Azure Service Management API will no longer protect Azure DevOps access. Microsoft Entra ID P1 or higher license is needed. | Microsoft Entra will stop applying Conditional Access policies via Azure Resource Manager for Azure DevOps sign-ins starting September 2, 2025, fully enforced by September 18. Organizations must update policies to explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) to maintain secure access. |
| 2025-09-05 | MC Last Updated | 07/29/2025 01:50:06 | 2025-09-04T21:48:11Z |
| 2025-09-05 | MC Messages | Introduction
Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access. When this will happen This change will take effect starting September 2, 2025, and will be fully enforced by September 4, 2025, across all environments. How does this affect your organization? If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798). Access controls such as MFA or compliant device requirements may not be enforced unless policies are updated. If you already have a policy that targets all users and all cloud apps and does not explicitly exclude Azure DevOps, no action is required-Azure DevOps sign-ins will continue to be protected. This change does not introduce any new user-facing experience or UI changes. Sign-in activity can be monitored using Microsoft Entra ID sign-in logs. Licensing requirement: Microsoft Entra ID P1 or P2 is required. There are no functional differences by license type. This is a feature change, not a new feature, so trial or preview options are not applicable. Unlicensed users may also be impacted. Existing Conditional Access policies will be affected, specifically those targeting the Windows Azure Service Management API. A small subset of tenants may see the app name as "Microsoft Visual Studio Team Services" instead of "Azure DevOps"-the App ID remains the same. What do you need to do to prepare? To ensure continued protection of Azure DevOps sign-ins, administrators should: Review existing Conditional Access policies - Identify any policies that target the Windows Azure Service Management API. Update policies to include Azure DevOps: Go to the Entra admin center. Navigate to Entra ID > Conditional Access > Policies. Select the relevant policy. Under Target resources, choose Select resources and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798). Save the policy. Use Entra ID group membership to scope policies to specific users or groups. Monitor sign-in activity using Entra ID sign-in logs. Review licensing requirements - Conditional Access requires Microsoft Entra ID P1 or higher. Organizations without the required license may explore trial options. Learn more: Removing Azure Resource Manager reliance on Azure DevOps sign-ins | Azure DevOps Blog What is Conditional Access? | Conditional Access | Microsoft Entra ID | Microsoft Learn Compliance considerations No compliance considerations identified, review as appropriate for your organization. | Updated September 4, 2025: We have updated the timeline. Thank you for your patience.
Introduction Microsoft Entra is updating how Conditional Access (CA) policies apply to Azure DevOps sign-ins. Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource during sign-in or token refresh flows. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their Conditional Access policies to explicitly include Azure DevOps to maintain secure access. When this will happen This change will take effect starting September 2, 2025, and will be fully enforced by September 18, 2025 (previously September 4), across all environments. How does this affect your organization? If your organization has Conditional Access policies targeting the Windows Azure Service Management API (App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), those policies will no longer apply to Azure DevOps sign-ins. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798). Access controls such as MFA or compliant device requirements may not be enforced unless policies are updated. If you already have a policy that targets all users and all cloud apps and does not explicitly exclude Azure DevOps, no action is required-Azure DevOps sign-ins will continue to be protected. This change does not introduce any new user-facing experience or UI changes. Sign-in activity can be monitored using Microsoft Entra ID sign-in logs. Licensing requirement: Microsoft Entra ID P1 or P2 is required. There are no functional differences by license type. This is a feature change, not a new feature, so trial or preview options are not applicable. Unlicensed users may also be impacted. Existing Conditional Access policies will be affected, specifically those targeting the Windows Azure Service Management API. A small subset of tenants may see the app name as "Microsoft Visual Studio Team Services" instead of "Azure DevOps"-the App ID remains the same. What do you need to do to prepare? To ensure continued protection of Azure DevOps sign-ins, administrators should: Review existing Conditional Access policies - Identify any policies that target the Windows Azure Service Management API. Update policies to include Azure DevOps: Go to the Entra admin center. Navigate to Entra ID > Conditional Access > Policies. Select the relevant policy. Under Target resources, choose Select resources and add Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798). Save the policy. Use Entra ID group membership to scope policies to specific users or groups. Monitor sign-in activity using Entra ID sign-in logs. Review licensing requirements - Conditional Access requires Microsoft Entra ID P1 or higher. Organizations without the required license may explore trial options. Learn more: Removing Azure Resource Manager reliance on Azure DevOps sign-ins | Azure DevOps Blog What is Conditional Access? | Conditional Access | Microsoft Entra ID | Microsoft Learn Compliance considerations No compliance considerations identified, review as appropriate for your organization. |
| 2025-09-05 | MC Title | Microsoft Entra: Action Required – Update Conditional Access Policies for Azure DevOps Sign-ins | (Updated) Microsoft Entra: Action Required – Update Conditional Access Policies for Azure DevOps Sign-ins |
| 2025-09-05 | MC End Time | 10/04/2025 09:00:00 | 2025-10-27T08:00:00Z |
Last updated 2 months ago ago
