Visual Studio Team Services - Restrict access by IP address?

2
votes

Has anyone successfully restricted Visual Studio Team Services access by IP address? The following blog post says it is possible by connecting the VS Team Services with Azure AD.

https://blogs.technet.microsoft.com/ad/2015/06/25/azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work/

After signing up will see the Visual Studio Team Services application on the application tab of the Azure AD portal. You can then go to the application's configure tab and set access rules, just like you would for other applications. (Like the Twitter example above.)

I have connected Team Services with Azure AD, but when I go in the Azure AD portal, click on applications under my domain and then click on "Visual Studio Online" all I get is a "Dashboard" with usage graphs. There is no "Configure" tab as the blog post says there should be. I have backed my Team Services account with TFS. Any ideas?

Thanks.

2
azuretfsazure-active-directoryazure-devops

2 Answers

3
votes

Think I found the issue. In the below link it says:

These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.

https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-azuread-connected-apps/

Since I'm not subscribed to Azure AD Premium that is most likely why I don't get the configuration tab and the option to restrict access by IP address. Some what annoying that you would have to pay for Azure AD Premium access to get such a standard feature when already paying for VS Team Services.

0
votes

You can do this in the AD: azure-ad-conditional-access-preview-update-more-apps-and-blocking-access-for-users-not-at-work:

Blocking external access

In other cases only users on the corporate network may be allowed to access a SaaS application. This rule can help prevent data leakage and in some cases can help you meet regulatory requirements.

When an app is on-premises you would have easily been able enforce this policy at your network boundary. With the app in the cloud this becomes more challenging.

We've helped address by adding the block access when not at work rule. This rule can be applied to any of your Azure AD applications that support conditional access.

The page below shows the option on the same Twitter configure tab as above.

When you choose this option only users coming from an IP address that falls within an IP range you have identified will be allowed access to the application.