I think Azure DevOps SSH has no PQC / hybrid KEX support today, and Microsoft has not published any timeline for adding it.
When will Azure DevOps SSH support post-quantum key exchange?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 95%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERC%3C/text%3E%3C/svg%3E)
Raphael Cadieux-Paquin
0
Reputation points
I am using Git over SSH with Azure DevOps via ssh.dev.azure.com.
With OpenSSH 10.2, Git operations show a warning that the connection is not using a post-quantum key exchange algorithm. When testing the SSH endpoint, Azure DevOps appears to offer only classical Diffie-Hellman key exchange algorithms, not post-quantum or hybrid algorithms such as mlkem768x25519-sha256.
My question is: does Azure DevOps SSH currently support post-quantum or hybrid key exchange? If not, is there a planned timeline or roadmap for adding support for ML-KEM/Kyber or another post-quantum SSH key exchange algorithm?
Given Azure DevOps' role as a major enterprise development platform, we would expect support for modern security features like post-quantum or hybrid SSH key exchange, or at least a clear roadmap for when such support will be available.
Azure DevOps
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rakesh Mishra 9,420 Reputation points Microsoft External Staff Moderator2026-05-27T23:00:21.8733333+00:00 Hello Raphael, I hope you checked my last response, and it was helpful. Please do let me know if you need any further assistance on this.
Please accept
as Yes if the answer is helpful so that it can help others in the community.
Sign in to comment
2 answers
Sort by: Most helpful
-
Rakesh Mishra 9,420 Reputation points Microsoft External Staff Moderator
2026-05-22T00:01:19.62+00:00 Hello Raphael,
Thank you for reaching out on the Microsoft Q&A portal.
You are correct in your observation. Currently, the Azure DevOps Microsoft-hosted Git SSH endpoint (
ssh.dev.azure.com) relies on classical key exchange algorithms (such as Diffie-Hellman and ECDH) and does not yet support post-quantum or hybrid key exchange algorithms (likemlkem768x25519-sha256orsntrup761x25519-sha512).When connecting with OpenSSH versions 10.1 or 10.2, the SSH client proactively warns users if a post-quantum Key Encapsulation Mechanism (KEM) is not negotiated. Although this warning is shown, your connection is still securely established using the standard, supported SSH encryption algorithms.
According to the official Azure Repos - Use SSH key authentication documentation:
We currently support the following public key types:
- RSA
- DSA
- ECDSA
- ED25519"
Presently, there is no publicly published timeline or roadmap for adding Post-Quantum Cryptography (PQC) algorithms to Azure DevOps SSH. As Microsoft continues to align with NIST post-quantum standards across its infrastructure, we expect future updates to eventually cover Azure Repos endpoints.
If this feature is a priority/blocker for your enterprise, we highly recommend submitting an active feature request directly on the Visual Studio Developer Community. The product engineering teams actively monitor these requests to prioritize roadmap additions based on community impact.
In the meantime, the connection remains highly safe under current cryptographic standards, and the OpenSSH warning can simply be ignored.
Hope this helps clarify the current state! Let us know in comments if you have any follow-up questions.
Note: This response is generated with the help of AI systems.