Thursday, April 13, 2017

VSTS - Restrict access by IP

Premise
Keeping the source code safe is as imperative as keeping the applications safe. If your source repository is in cloud and you can’t control who can download the code from where then it’s a big concern for any enterprise.

Visual Studio Team Services (a.k.a VSTS here after), is Microsoft’s cloud based project management tool including requirements management, development lifecycle, build & deployment & a code repository as well. Since it is cloud based, can be assessed from anywhere by developers who has permissions to check-out code which is a big security issue for any company as they would prefer to limit the source code to corporate network only.

Solution
VSTS as a product in itself doesn’t have this feature to limit access to white-listed IPs. Although, this can be achieved with a hybrid use of Azure Active Directory (a.k.a Azure AD here after).

VSTS supports two forms of authentication, either you manage the users in VSTS directly or you connect VSTS to an Azure AD and perform the user management tasks there. The latter is what we are going to use to achieve our goal.

Pre-requisites
  1. VSTS subscription with owner or service administrator permissions
  2. Azure subscription with owner or service administrator permissions
  3. Azure AD Premium with admin permission

(Note, in 1 & 2, same Microsoft account should have these permissions as Azure subscription automatically picks up the VSTS subscription connected to the account)

Configuration
In order to limit VSTS access to white-listed IPs, we are going to use “Conditional Access” feature of Azure AD. The reason we require premium Azure AD subscription is because conditional access feature is only available in premium.

Step 1: Configure VSTS to use Azure AD for authentication.

I do not wish to repeat these steps as there is a very nice official MS article available with pretty pictures to achieve this. Please follow the steps mentioned in below article.

https://www.visualstudio.com/en-us/docs/setup-admin/team-services/manage-organization-access-for-your-account-vs

Step 2: Enable Conditional Access in Azure AD for VSTS.
  1. Sign in to the Azure CLASSIC portal using an account that is a global administrator for Azure AD.
  2. On the left pane, select Active Directory.
  3. On the Directory tab, select your directory.
  4. Select the Applications tab.
  5. Select the application (VSTS) that the rule will be set for.
  6. Select the Configure tab. You should see a screen like below:-

























    
    First turn “Enable Access Rule” ON. Click “All users” or “Groups” depending upon your requirement. I did for all users. Under Rules, select the last radio button as “Block access when not at work”.

    Then click the link below as “Click here to define/edit your work network location” and you should see a screen shown below. Here you can add the IPs to which you wish to restrict the access.




    Enter your IP address range in CIDR format. I was sitting on home WIFI so just added my single IP there. Scroll down and click Save. Go back to the previous screen and Save the settings.
     
    (There are more settings available on this screen for conditional access like MFA when not on corporate network, device registration or recognition. You can all select whatever you want but in my case, I only configured the IP range to which I wish to restrict access of VSTS)

     You have now successfully enabled “Conditional Access” on VSTS. Go back and try to login into your VSTS from an IP not listed above and you should see below message post login.

     



















    
Neat right.

     Although, post this configuration this is obvious but just repeating, conditional access is a feature of Azure AD and not VSTS and hence it can be applied to any applications which is using Azure AD (premium) for authentication like Office 365 or any other app.

     Hope this helped and let me know if you face any issue while configuring this.
Posted by at
Labels: , ,

21 comments :

  1. Ada SmithJanuary 17, 2019 at 12:42 AM

    All good. I am a newcomer, so I jerked until the money was withdrawn. I waited 2 days on Yandex. Thanks to the admins and support service for listening to my whining on the forum and in the chat. Play people! Do not be greedy. All the rules with this casino! perfect the casino I often spend my time here

    ReplyDelete
  2. Muhammad HassanJanuary 29, 2019 at 8:16 AM

    I was surfing the Internet for information and came across your blog. I am impressed by the information you have on this blog. It shows how well you understand this subject. https://192-168-i-i.com

    ReplyDelete
  3. Lynna ConnerApril 18, 2019 at 3:39 PM

    I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job! Cliquez-ici

    ReplyDelete
  4. Michael SmithApril 22, 2019 at 12:31 PM

    I am all that much satisfied with the substance you have specified. I needed to thank you for this awesome article.  Meer hierover leest je hier

    ReplyDelete
  5. jessicasteveApril 26, 2019 at 5:41 PM

    I definitely enjoying every little bit of it. It is a great website and nice share. I want to thank you. Good job! You guys do a great blog, and have some great contents. Keep up the good work. Klik hier

    ReplyDelete
  6. Mona martinApril 28, 2019 at 1:54 PM

    There are a lot of blogs and articles out there on this topic, but you have acquired another side of the subject. This is reliable content thank you for sharing it. privacyinthenetwork

    ReplyDelete
  7. Jerry BarkerApril 30, 2019 at 2:29 PM

    Thanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. https://privacyonline.com.br

    ReplyDelete
  8. DFC SEOMay 20, 2019 at 3:03 AM

    Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. 192.168 49.1

    ReplyDelete
  9. seoexpertMay 20, 2019 at 10:43 AM

    Grandstream PBX System- Grandstream Distributor Cameroon VDS the Grandstream distributor in  Cameroon continues to bring innovative Grandstream Products to the IP communications / Telephony market with compelling values and features. Grandstream Networks is headquartered in Brookline, Massachusetts with offices in Yealink IP Phones

    ReplyDelete
  10. AnonymousJuly 4, 2019 at 8:58 PM

    Your online journal gave us profitable data to work with. Each and every tips of your post are marvelous. Much appreciated for sharing. Continue blogging, my ip location

    ReplyDelete
  11. Faiza JeeAugust 17, 2019 at 10:51 PM

    This is my first time i visit here and I found so many interesting stuff in your blog especially it's discussion, thank you. Melbourne Access Control Systems

    ReplyDelete
  12. Saqib KhatriOctober 26, 2019 at 10:19 AM

    Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. https://192-168-i-i.com

    ReplyDelete
  13. Arya SteveDecember 17, 2019 at 3:10 AM

    The information you have posted is very useful. The sites you have referred was good. Thanks for sharing.. <a href="http://www.etisalcom.com>Cloud solutions Bahrain</a>

    ReplyDelete
  14. Kirill parinov black cubeJanuary 10, 2020 at 11:14 AM

    This comment has been removed by the author.

    ReplyDelete
  15. Kirill parinov black cubeJanuary 10, 2020 at 11:15 AM

    So great ! Nouvelle de zone annuaire

    ReplyDelete
  16. mariyamkhanMarch 3, 2020 at 10:41 PM

    I would like to show my thanks to you just for bailing me out of this problem. Right after researching through the world wide web and seeing strategies which are not helpful, I figured my entire life was gone. Existing minus the approaches to the issues you’ve fixed through your main guideline is a crucial case, and ones that would have in a negative way damaged my entire career if I hadn’t discovered your website. Your primary ability and kindness in playing with all things was precious. I am not sure what I would have done if I hadn’t come across such a solution like this. I’m able to at this moment look forward to my future. Thanks for your time very much for this impressive and result oriented guide. I won’t be reluctant to refer the sites to any person who should receive direction on this problem. Read More Here

    ReplyDelete
  17. playMarch 17, 2020 at 5:19 AM

    Chances are good that you are somewhat familiar with iPTV providers, iptv uk free trial uk

    ReplyDelete
  18. Kevin HorganMay 16, 2020 at 9:25 AM

    i never know the use of adobe shadow until i saw this post. thank you for this! this is very helpful. iptv free

    ReplyDelete
  19. albina N muroJune 3, 2020 at 5:52 AM

    I felt very happy while reading this site. This was really very informative site for me. I really liked it. This was really a cordial post. Thanks a lot!. buy ig likes with paypal

    ReplyDelete
  20. cloudshinepro.comAugust 14, 2020 at 2:19 AM

    I got information from your article which I will be sharing with my friends who will need this information. I will suggest reading this article because it will really help those who need this information about IP. Thanks for the information which you have shared here. Best Oracle Fusion Financials Online Training

    ReplyDelete
  21. APKMay 10, 2022 at 1:09 AM

    Nice post

    Descargar Microsoft Launcher APK

    ReplyDelete

Subscribe to: Post Comments ( Atom )