Azure-devops-docs: Doc Needs to Explain that the setting in DevOps only applies to alt auth
This document should explicitly explain that the "Enable Azure Active Directory Conditional Access Policy Validation" setting only applies to alternate credentials, and that if CAPs are set on the AAD, they will be enforced for web login regardless of the setting in Azure DevOps.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 24bd6400-4207-6f85-8a4e-5c9b0cc99cff
- Version Independent ID: 0b018039-29d1-431a-1be9-4b46af7f084f
- Content: Manage conditional access policies - Azure DevOps Services
- Content Source: docs/organizations/accounts/manage-conditional-access.md
- Product: devops
- Technology: devops-accounts
- GitHub Login: @chcomley
- Microsoft Alias: chcomley
anmason
All 9 comments
Perhaps we could add a table like this to the document:
 | CAP Enabled in AAD | CAP Disabled in AAD
-- | -- | --
"Enable Azure Active Directory Conditional Access Policy Validation" set to "On" | CAP is enforced for web login (including browser popups for GCM and VS IDE) as well as alternate authentication (PATs, OAuth, SSH keys, etc.) | No CAP enforced
"Enable Azure Active Directory Conditional Access Policy Validation" set to "Off" | CAP is enforced for web login (including browser popups for GCM and VS IDE) only | No CAP enforced
anmason
on 17 Jul 2019
@anmason, Thank you for the suggestion. I've created a user story on my backlog to capture this. You'll be notified via this GitHub Issue when updates have been published. Thanks again!
chcomley
on 17 Jul 2019
Actually, @anmason, adding your table isn't needed, as we have existing documentation on how and what we support in CAP. Please check it out here: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops.
Thank you!
chcomley
on 17 Jul 2019
@chcomley The link you provided is the doc that I opened this bug for. While it does mention that DevOps enforces policy for alt auth, it is not clear that the setting _only_ applies to alt auth. With the way the document is worded, it makes it seem like when you set it to "on", it checks CAPs for both web login and alt auth, and when you set it to "off", it does not check CAPs anywhere. I've had several customers come to me with this understanding. I opened this bug because I think we need to make it clearer exactly what the setting controls.
anmason
on 17 Jul 2019
@anmason I hadn't realized it was the same doc, as it was sent to me as a reference point from the PM. My apologies! I've reopened the issue and will investigate further.
chcomley
on 17 Jul 2019
Hi @anmason, Our PM is confirming this with the engineering team, so I'll be in touch... Thanks very much
chcomley
on 18 Jul 2019
Hi @anmason, Just wanted to check in and let you know that I haven't heard back from the PM yet. Will keep you posted. Hope you have a great weekend!
chcomley
on 19 Jul 2019
Hi @anmason, I've updated the document, offering clarity around the setting, that it only applies to alt auth, which should go live sometime this afternoon. Thanks very much for your feedback! Please don't hesitate to provide any further feedback on our docs, as you come across anything. Thanks again!
chcomley
on 23 Jul 2019
The comment of @anmason it's more explicit about what really do the on and off option of "Enable Azure Active Directory Conditional Access Policy Validation"
diegri
on 28 Sep 2019
Related issues
mikedouglasdev
·
3Comments
dannyvv
·
3Comments
csutorasr
·
3Comments
kieronlanning
·
3Comments
sevaa
·
3Comments