Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Features
- Only organizations with existing public projects can create new ones
- Azure DevOps login flow no longer relies on Azure Resource Manager audience
- Continuous Access Evaluation on Azure DevOps
Only organizations with existing public projects can create new ones
Starting this sprint, only organizations that already have the Allow public projects policy enabled can continue using it. The policy does not change for existing customers.
Microsoft recommends using GitHub for all your public project needs.
Azure DevOps login flow no longer relies on Azure Resource Manager audience
We've removed a dependency on the Azure Resource Manager (ARM) resource (https://management.azure.com) when logging in or refreshing Entra access tokens used to access Azure DevOps. The ARM resource is often associated with the Azure portal (https://portal.azure.com), and admins may want to restrict which users in their tenant can access the portal through Conditional Access policy (CAP) enforcement.
Due to Azure DevOps previous reliance on ARM, admins had to permit all Azure DevOps users to bypass the ARM CAPs in order to use Azure DevOps. This is no longer necessary as we've removed the ARM resource audience requirement during signin and refresh token flows.
There remain a couple of notable exceptions — the following user groups may need continued access to ARM:
- Billing admins need access to ARM to setup billing and access subscriptions
- Service Connection creators require continued access to ARM for ARM role assignment and updates to MSIs
Continuous Access Evaluation on Azure DevOps
Azure DevOps now supports Continuous Access Evaluation (CAE), enabling near real-time enforcement of Conditional Access policies through Microsoft Entra ID. This enhancement allows Azure DevOps to instantly revoke access when critical events occur—such as user disablement, password resets, or location/IP changes—without waiting for token expiration. Real-time enforcement means that compromised accounts or policy violations are addressed as soon as we learn of the event, reducing exposure windows and improving incident response. Developers using CAE-capable client libraries .NET now available, Python and Go to come) must handle claims challenges and update sign-in flows accordingly. General availability begins August 2025 following phased rollout for all customers.
Next steps
Note
These features will roll out over the next two to three weeks.
Head over to Azure DevOps and take a look.
How to provide feedback
We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.
You can also get advice and your questions answered by the community on Stack Overflow.