Prevent users from accessing the VSTS out of the workplace

Since the VSO VSTS began to be evaluated by companies as an alternative to TFS (did you know that VSTS is much cooler than the TFS, right?), a question arose with a certain recurrence:

But if I put the source code of my company in the cloud, my developers can access the code outside of the workplace. I don't want my devs have access to the code when they are outside of my network!

And then, #comofaz?

As is customary in my posts, I'm not going to get into the merits of the question ("but why do you want to prohibit access of your devs?"). What matters is that this scenario is common and worth being discussed.

What we want is to restrict access by developers, so that they can connect to VSTS only when they are on the corporate network. Out of there, access needs to be stopped.

Normally, the first solution that comes to mind for most infrastructure/network guys, when faced with this problem, is "let's limit by IP. Releases only the public IP to connect in VSTS and the rest. " Well, there's just one small problem: it doesn't work.

The problem is, VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure.

IPs configuration in SQL Azure-not works in VSTS.
Cool, huh? You will, filters the IPs and ready! Too bad it doesn't work in VSTS-simply because VSTS has nothing like that!

The "trick" is to take advantage of the integration between the VSTS and Azure (Azure) Active Directory, because this provides the resource we need to limit access to our account: the Azure AD Conditional Access.

Azure Conditional Access Active Directory

The Azure AD Conditional Access is a feature in that allows you to limit Premium AD Azure the conditions under which users of a domain AAD can authenticate. In addition to being able to be used for, for example, require a login for MFA (multi-factor authentication), the Conditional Access can be use to block logins that come from outside the corporate network.

Azure AD Conditional Access
Azure AD Conditional Access (click to enlarge)

Configuring VSTS

To activate the Conditional Access, we will from the following assumptions (which, therefore, will not be discussed in this post):

  1. The Visual Studio Team Services account is already linked to a directory AAD; and
  2. Users of VSTS have AD Premium Azure licenses associated with their accounts.

To prevent your users from being able to access VSTS when they are out of the Office, go to the classic Azure Portal, open the Active Directory section (1), select your directory (2)-Lambda3, in our example – and then go to the Applications tab (3). Finally, click Visual Studio Online (4):

Opening the settings of VSTS in Azure AD
Opening the settings of VSTS in Azure AD (click to enlarge)

Now let's configure VSTS.

First, click the configuration tab (1) and enable the access rules (2). At this point, you must decide whether to apply these rules to all users of your directory or just some people (3). Then comes the most important thing: prevent access when users are outside the corporate network (4).

Configuring the Azure AD to prevent logon outside the corporate network
Configuring the Azure AD to prevent login outside the corporate network (click to enlarge)

How does he know if I'm out of the Office?

On the configuration page of the Multi-factor Authentication Service of the Azure AD, there is an area where you can report what are the ranges of IP addresses that represent their corporate networks. These are the addresses that the Conditional Access will use to determine whether its users are inside or outside the Office. If he's trying to log in from an IP address outside of some of these ranges, access will be blocked.

Setting of IP address ranges that the Azure AD considers corporate network
Setting of IP address ranges that the Azure AD considers corporate network (click to enlarge)

Conclusion

Though the VSTS not having native support access filtering by IP, the Azure AD Conditional Access can be used to achieve a similar result. One important thing to highlight is that access for PATs and Alt Creds is not covered by the Conditional Access-i.e. can be used normally when out of the external network.

 

A hug,
Igor

Author: Igor Abade

Igor Abade V. Leite ([email protected]) is a Visual Studio ALM MVP (Microsoft Most Valuable Professional) since 2006. Speaker at various Software Development community events (TechEd Brasil, The Developers’ Conference, DevOps Summit Brasil, Agile Brazil, Visual Studio Summit, QCON among others), has also written articles in magazines and websites such as MSDN Brazil. Since March/2011 is one of the owners of Lambda3, a Brazilian consulting company specialized in ALM, software development and training. Visit his blog about VS ALM at http://www.tshooter.com.br/ and follow him on Twitter @igorabade.

2 thoughts on “Prevent users from accessing the VSTS out of the workplace”

  1. So how can we protect against Personal Access Tokens? We can disable alternate credentials. But I don’t see an option to disable use of PATs. Without this block on PATs, all the data is potentially accessible by someone outside our organization’s network.

    1. David, you’re right. As of now, there’s no way to disable PATs. However that’s something the Product Team is actively working on. I assume we’ll have some good news in a not too distant future.

      Stay tuned! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *