Limit access to just Visual Studio Team Services using Azure Active Directory Premium

By leveraging Conditional Access Policies of Azure Active Directory (AAD) Premium it's possible to add external users to your AAD and limit them to just Visual Studio Team Services (VSTS).

You'll need:

  • An Azure subscription
  • AAD Premium (you can get a trial if you just want to try this out)
  • A VSTS account backed by the Premium AAD
  • An external user you can invite to your AAD \ VSTS (someone not native to the AAD)


Here's how I set up a demo (pictures below, too):

  1. In, enabled AAD Premium on
  2. Created a native AAD user - - who was a global admin
  3. Invited to the AAD and accepted that invite via mail at
  4. Back in, created an AAD group named "B2B Users" and added to it
  5. Logged into as and created a new VSTS account. Because I logged in there as a member, my new VSTS was backed by that AAD when it was created.
  6. Logged into my VSTS as (the owner) and added to it, on the Users Hub
  7. In a different browser (not another instance, but another software browser) I logged into VSTS as successfully. This was just to confirm all was working up to this point.
  8. Back in AAD on I set up a new Conditional Access Policy designed to permit to *only* access VSTS. Screen shots below.
  9. With the Conditional Access Policy enabled, back in my VSTS browser instance as I signed out and then tried to sign back in. Still worked.

At this point you might be wondering what's the point? Well, to see what happens when VSTS & Microsoft Azure Management are *not* included in the exceptions list for that Conditional Access Policy, edit it and remove them. The next time any member of the "B2B Users" group tries to log into a VSTS account backed by that AAD they'll see something like the message pictured below ("You don't have access to this") .

You can use a variation on this process to let AAD groups into only VSTS, or let them into everything but VSTS.

I hope you find this helpful.




















Azure AD Conditional Access Policy to let members of AAD group "B2B Users" access *only* VSTS