| title | Change application connection and security policies for organizations |
|---|---|
| titleSuffix | Azure DevOps Services |
| description | Manage security policies for accessing organization through Conditional Access, OAuth, SSH, and personal access tokens (PATs). |
| ms.subservice | azure-devops-organizations |
| ms.assetid | 2fdfbfe2-b9b2-4d61-ad3e-45f11953ef3e |
| ms.topic | how-to |
| ms.author | chcomley |
| author | chcomley |
| ms.date | 10/10/2025 |
| monikerRange | azure-devops |
[!INCLUDE alt-creds-deprecation-notice]
This article shows how to manage your organization's security policies that determine how users and applications can access services and resources in your organization. You can access most of these policies in Organization settings.
| Category | Requirements |
|---|---|
| Permissions |
|
[!INCLUDE manage-policies]
To allow seamless access to your organization without repeatedly prompting for user credentials, applications can use authentication methods, like OAuth, SSH, and personal access token (PATs). By default, all existing organizations allow access for all authentication methods.
You can limit access to these authentication methods by disabling the following application connection policies:
- Third-party application access via OAuth: Enable Azure DevOps OAuth apps to access resources in your organization through OAuth. This policy is defaulted to off for all new organizations. If you want access to Azure DevOps OAuth apps, enable this policy to ensure these apps can access resources in your organization. This policy doesn't affect Microsoft Entra ID OAuth app access.
- SSH authentication: Enable applications to connect to your organization's Git repos through SSH.
- Tenant admins can restrict global personal access token creation, restrict full-scoped personal access token creation, and enforce maximum personal access token lifespan through tenant-level policies on the Microsoft Entra settings page. Add Microsoft Entra users or groups to exempt them from these policies.
- Organization admins can restrict personal access token creation in their respective organizations. Subpolicies allow admins to permit the creation of packaging-only PATs or the creation of any-scope PATs to allowlisted Microsoft Entra users or groups.
When you deny access to an authentication method, no application can access your organization through that method. Any application that previously had access encounter authentication errors and lose access.
Conditional Access (CA) in Azure DevOps is enforced through Microsoft Entra ID and supports both interactive (web) and non-interactive (client credential) flows, validating policies like MFA, IP restrictions, and device compliance during sign-in and periodically via token checks.
The SSH authentication policy controls whether or not an organization allows the use of SSH keys.
To avoid losing access due to an expired SSH key, create and upload a new key before the current one expires. The system sends automated notifications 7 days before expiration and again after expiration to help you stay ahead. For more information, see Step 1: Create your SSH keys.
The Validate SSH key expiration policy is enabled by default. When active, it enforces the expiration date—expired keys immediately become invalid.
If you disable the policy, the system no longer checks expiration dates, and expired keys remain usable.
| Policy | Org-level | Tenant-level | |--------------|-------------| | Third-party application access via OAuth | ✅ | | | SSH authentication | ✅ | | | Validate SSH key expiration | ✅ | | | Log audit events | ✅ | | | Restrict personal access token creation | ✅ | | | Allow public projects | ✅ | | | Additional protections when using public package registries | ✅ | | | Enable IP Conditional Access policy validation on non-interactive flows | ✅ | | | External guest access | ✅ | | | Allow team and project administrators to invite new users | ✅ | | | Request access allows users to request access to the organization with a provided internal URL | ✅ | | | Allow Microsoft to collect feedback from users | ✅ | | | Restrict organization creation | | ✅ | | Restrict global personal access token creation | | ✅ | | Restrict full-scoped personal access token creation| | ✅ | | Enforce maximum personal access token lifespan | | ✅ |