Premise
Keeping
the source code safe is as imperative as keeping the applications safe. If your
source repository is in cloud and you can’t control who can download the code
from where then it’s a big concern for any enterprise.
Visual
Studio Team Services (a.k.a VSTS here after), is Microsoft’s cloud based project
management tool including requirements management, development lifecycle, build
& deployment & a code repository as well. Since it is cloud based, can
be assessed from anywhere by developers who has permissions to check-out code
which is a big security issue for any company as they would prefer to limit the
source code to corporate network only.
Solution
VSTS
as a product in itself doesn’t have this feature to limit access to white-listed
IPs. Although, this can be achieved with a hybrid use of Azure Active Directory
(a.k.a Azure AD here after).
VSTS
supports two forms of authentication, either you manage the users in VSTS
directly or you connect VSTS to an Azure AD and perform the user management tasks
there. The latter is what we are going to use to achieve our goal.
Pre-requisites
- VSTS subscription with owner or service administrator permissions
- Azure subscription with owner or service administrator permissions
- Azure AD Premium with admin permission
(Note,
in 1 & 2, same Microsoft account should have these permissions as Azure
subscription automatically picks up the VSTS subscription connected to the
account)
Configuration
In
order to limit VSTS access to white-listed IPs, we are going to use “Conditional
Access” feature of Azure AD. The reason we require premium Azure AD
subscription is because conditional access feature is only available in premium.
Step
1: Configure VSTS to use Azure AD for authentication.
I
do not wish to repeat these steps as there is a very nice official MS article
available with pretty pictures to achieve this. Please follow the steps
mentioned in below article.
Step
2: Enable Conditional Access in Azure AD for VSTS.
- Sign in to the Azure CLASSIC portal using an account that is a global administrator for Azure AD.
- On the left pane, select Active Directory.
- On the Directory tab, select your directory.
- Select the Applications tab.
- Select the application (VSTS) that the rule will be set for.
- Select the Configure tab. You should see a screen like below:-
First
turn “Enable Access Rule” ON. Click “All users” or “Groups” depending upon your
requirement. I did for all users. Under Rules, select the last radio button as “Block
access when not at work”.
Then
click the link below as “Click here to define/edit your work network location”
and you should see a screen shown below. Here you can add the IPs to which you
wish to restrict the access.
Enter
your IP address range in CIDR format. I was sitting on home WIFI so just added
my single IP there. Scroll
down and click Save. Go back to the previous screen and Save the settings.
(There
are more settings available on this screen for conditional access like MFA when
not on corporate network, device registration or recognition. You can all select
whatever you want but in my case, I only configured the IP range to which I wish
to restrict access of VSTS)
You
have now successfully enabled “Conditional Access” on VSTS. Go back and try to
login into your VSTS from an IP not listed above and you should see below
message post login.
Neat right.
Although,
post this configuration this is obvious but just repeating, conditional access
is a feature of Azure AD and not VSTS and hence it can be applied to any
applications which is using Azure AD (premium) for authentication like Office
365 or any other app.
Hope
this helped and let me know if you face any issue while configuring this.