Securing VSTS with Azure Conditional Access: A Step‑by‑Step Guide

Visual Studio Team Services (VSTS), now part of Azure DevOps, offers powerful version‑control, CI/CD, and project‑management features, but its cloud‑based nature raises security concerns about unauthorized code access.

By leveraging Azure Conditional Access —a policy engine managed through Azure AD —organizations can enforce granular access controls for VSTS. First, bind the VSTS account to an Azure AD tenant via the Team Services accounts portal and ensure the same Subscription is used for both services.

Once the prerequisites are satisfied, navigate to the Azure AD → Conditional Access blade and create a new policy. The policy consists of two parts: Assignments (who and what) and Access controls (what actions are allowed).

In the Assignments section, select users or groups (typically all users, with optional exclusions), and specify cloud applications—choose VSTS and, if needed, other SaaS apps such as Office 365 or HockeyApp .

Next, define Conditions such as:

Sign‑in risk

Device platform (Windows, macOS, iOS, Android, etc.)

Location – configure trusted IP ranges using CIDR notation (e.g., 192.168.0.0/24 ) and add them via ipaddressguide.com/cidr

Client app (browser, mobile app, etc.)

After setting conditions, choose the Access control action, such as Block access for non‑compliant requests. Save the policy and test it by signing in to VSTS from a location or device that does not meet the criteria; you will see a warning page indicating the sign‑in is blocked.

If certain IP addresses should be allowed, add them to the Exclude list, or combine with device‑based grants via Microsoft Intune for a hybrid conditional‑access scenario.

By combining these settings, organizations can significantly harden VSTS usage, aligning security policies with corporate requirements while still enabling seamless DevOps workflows.