Since the VSO VSTS began to be evaluated by companies as an alternative to TFS (did you know that VSTS is much cooler than the TFS, right?), a question arose with a certain recurrence:
But if I put the source code of my company in the cloud, my developers can access the code outside of the workplace. I don't want my devs have access to the code when they are outside of my network!
And then, #comofaz?
As is customary in my posts, I'm not going to get into the merits of the question ("but why do you want to prohibit access of your devs?"). What matters is that this scenario is common and worth being discussed.
What we want is to restrict access by developers, so that they can connect to VSTS only when they are on the corporate network. Out of there, access needs to be stopped.
Normally, the first solution that comes to mind for most infrastructure/network guys, when faced with this problem, is "let's limit by IP. Releases only the public IP to connect in VSTS and the rest. " Well, there's just one small problem: it doesn't work.
The problem is, VSTS does not offer any type of IP-based filter — so you can't do like in SQL Azure, in which you add and/or remove IPs that can access the service on Azure.
The "trick" is to take advantage of the integration between the VSTS and Azure (Azure) Active Directory, because this provides the resource we need to limit access to our account: the Azure AD Conditional Access.
Azure Conditional Access Active Directory
The Azure AD Conditional Access is a feature in that allows you to limit Premium AD Azure the conditions under which users of a domain AAD can authenticate. In addition to being able to be used for, for example, require a login for MFA (multi-factor authentication), the Conditional Access can be use to block logins that come from outside the corporate network.
To activate the Conditional Access, we will from the following assumptions (which, therefore, will not be discussed in this post):
- The Visual Studio Team Services account is already linked to a directory AAD; and
- Users of VSTS have AD Premium Azure licenses associated with their accounts.
To prevent your users from being able to access VSTS when they are out of the Office, go to the classic Azure Portal, open the Active Directory section (1), select your directory (2)-Lambda3, in our example – and then go to the Applications tab (3). Finally, click Visual Studio Online (4):
Now let's configure VSTS.
First, click the configuration tab (1) and enable the access rules (2). At this point, you must decide whether to apply these rules to all users of your directory or just some people (3). Then comes the most important thing: prevent access when users are outside the corporate network (4).
How does he know if I'm out of the Office?
On the configuration page of the Multi-factor Authentication Service of the Azure AD, there is an area where you can report what are the ranges of IP addresses that represent their corporate networks. These are the addresses that the Conditional Access will use to determine whether its users are inside or outside the Office. If he's trying to log in from an IP address outside of some of these ranges, access will be blocked.
Though the VSTS not having native support access filtering by IP, the Azure AD Conditional Access can be used to achieve a similar result. One important thing to highlight is that access for PATs and Alt Creds is not covered by the Conditional Access-i.e. can be used normally when out of the external network.