(๐๐๐ญ๐ข๐จ๐ง ๐๐๐ช๐ฎ๐ข๐ซ๐๐) ๐๐จ๐ง๐๐ข๐ญ๐ข๐จ๐ง๐๐ฅ ๐๐๐๐๐ฌ๐ฌ ๐๐ฉ๐๐๐ญ๐ ๐๐จ๐ซ ๐๐ณ๐ฎ๐ซ๐ ๐๐๐ฏ๐๐ฉ๐ฌ โ ๐๐๐๐๐ฅ๐ข๐ง๐: ๐๐๐ฉ๐ญ ๐, ๐๐๐๐
Until now, many orgs protected Azure DevOps sign-ins indirectly via Conditional Access policies targeting the โWindows Azure Service Management API (aka App ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013).
โ Thatโs no longer enough. From Sept 2, 2025, instead, you now have to explicitly include Azure DevOps in your Conditional Access policies using its own App ID:
๐๐ปAzure DevOps App ID: 499b84ac-1321-427f-aa17-267ca6975798
In short, DevOps is separating from the pack and now needs to be called out explicitly in Conditional Access settings.
If Azure DevOps isnโt explicitly included in your CA policies:
โ MFA and device rules wonโt apply
โ Sign-ins may go unprotected
โ Youโll lose critical visibility and control
Find CA policies targeting Windows Azure Service Management API, update them to include Azure DevOps, and check sign-in logs.
Reminder: Youโll need Microsoft Entra ID P1 or P2 licenses to use Conditional Access.
If you already have CA policies applied to all users and all cloud apps without exclusions, then Azure DevOps is already covered. You’re good to go.