Azure DevOps will no longer depend on the Azure Resource Manager (ARM) resource (https://management.azure.com) when you sign in or refresh Microsoft Entra access tokens. Previously, Azure DevOps required the ARM audience during sign-in and token refresh flows. This requirement meant administrators had to allow all Azure DevOps users to bypass ARM-based Conditional Access policies (CAPs) to maintain access to ADO.Tokens for Azure DevOps no longer require the ARM audience. As a result, you can manage Azure DevOps access more effectively by creating Azure DevOps-specific CAPs instead of relying on the ARM CAP to block ADO usage. These changes will go into effect on July 28, 2025.Does this impact me?If you have previously set up a Conditional Access Policy (CAP) for Windows Azure Service Management API application, or any of its associated applications:Azure Resource Manager (ARM) Azure portal, which also covers the Microsoft Entra admin center Azure Data Lake Application Insights API Log Analytics APIThis Conditional Access Policy no longer covers Azure DevOps signins. You will need to setup a new ADO-exclusive CAP in order to get continued CAP coverage of Azure DevOps. How do I set up a CAP for Azure DevOps?As a tenant admin, you can use Conditional Access policies (CAPs) to block or grant user access to Azure resources if they meet certain conditions (e.g. have an accepted IP address, belong to specific Entra groups, access from a given device, etc.) or complete actions like multifactor authentication.To create a conditional access policy that targets the Azure DevOps resource specifically:Go to the Azure Portal and find the "Microsoft Entra Conditional Access" service. Select "Policies" on the right sidebar. Select the "+ New policy" button. Provide the policy a name and configure other settings as desired. For the "Target resources" assignments, toggle "Select resources" and add the "Microsoft Visual Studio Team Services" resource (resource id: 499b84ac-1321-427f-aa17-267ca6975798) to the list of target resources. Select Save to apply this new CAP.Learn more about the different flavors of conditional access policies you can set by reading the Microsoft Entra Conditional Access documentation.Notable exceptionsContinued access to ARM is still required for the following Azure DevOps users:Billing administrators need access to ARM to set up billing and access subscriptions.Service Connection creators require access to ARM for ARM role assignments and updates to managed service identities (MSIs).For users who regularly conduct these actions, it may be worth adding them as exclusions to any ARM / Windows Azure Service Management API CAPs.