I'm looking for a way to grant users access to the Azure DevOps portal without giving them access to the Azure portal. Our IT security team is concerned because users who have access to DevOps can easily access Azure and read Active Directory attributes. They currently have a Conditional Access (CA) policy that blocks Azure portal access, but this also prevents DevOps access unless specific users are excluded from the policy. Is there a way to prevent Azure management app access while still allowing DevOps? Any suggestions?
4 Answers
It seems like anyone with the Active Directory MMC snap-in and a standard user account can read AD attributes, so what's the actual risk here?
This whole situation seems like a classic case of security teams confusing the Azure Portal with something like a vSphere Portal. Remember, any user can view their attributes through Get-AdUser without needing Azure portal access. Maybe consider giving developers secure workstations tailored to their tasks?
That's true, but allowing PowerShell access can complicate things. Not all users have that access, which helps... but it's still a tricky balance.
Can't you just exclude Azure DevOps from the CA policy? I thought I saw that option in our tenant before.
You can exclude it, but that gives those users access to the Azure portal as well, which is the problem we're trying to avoid by restricting access.
You could also scope user roles to ensure that non-admin users can only access their own objects. That might improve security while still allowing DevOps usage.
The concern is mainly about compromised accounts. If a threat actor gains access to a user account, they could easily view sensitive information via the Azure portal. That's why our team is blocking access to portal.azure.com, but this policy also restricts access to DevOps unless we make exceptions.