[German]Administrators in companies that use conditional access policies for Azure DevOps sign-ins in Microsoft Entra need to take action. Starting September 2, 2025, Microsoft Entra will discontinue the application of conditional access policies via Azure Resource Manager for Azure DevOps sign-ins. Full implementation will take place by September 18, 2025.
Microsoft announced this on July 28, 2025, and updated it on September 4, 2025, in the Microsoft 365 Message Center post MC1123830 – Microsoft Entra: Action Required – Update Conditional Access Policies for Azure DevOps Sign-ins.
Enterprise administrators must update their conditional access policies and explicitly include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798) to ensure secure access.
Azure DevOps will no longer rely on the Azure Resource Manager (ARM) resource when signing in or refreshing tokens. This change ensures that access controls are applied directly to Azure DevOps. Organizations must update their conditional access policies to explicitly include Azure DevOps to ensure secure access.
This change will take effect on September 2, 2025, and will be fully implemented in all environments by September 18, 2025 (previously September 4). If you are using conditional access policies that target the Windows Azure Service Management API (app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013), these policies will no longer apply to Azure DevOps logins after the date mentioned above. This may result in unprotected access unless these policies are updated to include Azure DevOps (App ID: 499b84ac-1321-427f-aa17-267ca6975798).
Access controls such as MFA or compliant device requirements may not be enforced unless the policies are updated. Only those who already have a conditional access policy that applies to all users and all cloud apps and does not explicitly exclude Azure DevOps do not need to take any action. Azure DevOps sign-ins will continue to be protected in this environment.
Login activities can be monitored using Microsoft Entra ID login logs. Microsoft Entra ID P1 or P2 licenses are required to use the conditional access policy, with no functional differences between the license types.
