Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Dev Box gives you an alternative connectivity method on top of Dev tunnels. You can develop remotely while coding locally or keep development going during Azure Virtual Desktop (AVD) outages or poor network performance. Many large enterprises using Dev Box have strict security and compliance policies, and their code is valuable to their business. Restricting Dev tunnels with conditional access policies is crucial for these controls.
Conditional access policies for the Dev tunnels service:
- Let Dev tunnels connect from managed devices, but deny connections from unmanaged devices.
- Let Dev tunnels connect from specific IP ranges, but deny connections from other IP ranges.
- Support other regular conditional access configurations.
- Apply to both the Visual Studio Code application and VS Code web.
Configure conditional access
The conditional access policies work correctly for the Dev tunnels service. Because registering the Dev tunnels service app to a tenant and making it available to the conditional access picker is unique, this article documents the steps.
Register Dev tunnels service to a tenant
According to Application and service principal objects in Microsoft Entra ID, a service principal is created in each tenant where an application is used. However, this doesn't apply to the Dev tunnels service. The Dev tunnels service is a Microsoft service, and the service principal is created in the Microsoft Entra ID tenant where the Dev tunnels service is registered. The Dev tunnels service app isn't registered to your tenant by default, so you need to register it manually.
Therefore, we're using Microsoft.Graph PowerShell to register the app to a tenant.
Install PowerShell 7.x
Follow Install the Microsoft Graph PowerShell SDK | Microsoft Learn to install Microsoft.Graph PowerShell.
Run the following commands:
# Connect to Microsoft Graph Connect-MgGraph -TenatnId <TenantID> -Scopes "Application.ReadWrite.All" # Register the Dev tunnels service app to the tenant $TunnelServiceAppId = "46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2" New-MgServicePrincipal -AppId $TunnelServiceAppIdGo to "Microsoft Entra ID" -> "Manage" -> "Enterprise applications" to verify if the Dev tunnels service is registered.
Enable the Dev tunnels service for the conditional access picker
The Microsoft Entra IDteam is working on removing the need to onboard apps for them to appear in the app picker, with delivery expected in May. Therefore, we aren't onboarding Dev tunnel service to the conditional access picker. Instead, target the Dev tunnels service in a conditional access policy using Custom Security Attributes.
Follow Add or deactivate custom security attribute definitions in Microsoft Entra ID to add the following Attribute set and New attributes.
Follow Create a conditional access policy to create a conditional access policy.
Follow Configure custom attributes to configure the custom attribute for the Dev tunnels service.
Testing
Turn off the BlockDevTunnelCA
Create a DevBox in the test tenant and run the following commands inside it. Dev tunnels can be created and connected externally.
code tunnel user login --provider microsoft
code tunnel
Enable the BlockDevTunnelCA.
New connections to the existing Dev tunnels can't be established. Test with an alternate browser if a connection has already been established.
Any new attempts to execute the commands in step #2 will fail. Both errors are:
The Microsoft Entra ID sign-in logs show these entries.
Limitations
With Dev Tunnels, the following limitations apply:
- You can't configure conditional access policies for Dev Box service to manage Dev tunnels for Dev Box users.
- You can't limit Dev tunnels that aren't managed by the Dev Box service. In the context of Dev Boxes, if the Dev tunnels GPO is configured to allow only selected Microsoft Entra tenant IDs, Conditional Access policies can also restrict self-created Dev tunnels.