Azure DevOps Services Losing Support for Alternate Credentials

Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

The change in support will start to get enacted as early as this month for new users, and Alternate Credentials won't work for current users by March. Only Azure DevOps Services users will be affected by this change since the use of Alternate Credentials already isn't supported on Azure DevOps Server.

Microsoft offers Alternate Credentials as part of the user authentication process to support organizations that connect with Azure DevOps Services using "legacy tools," but it's viewed as not the most secure approach. The main problem with it is that Alternate Credentials "never expire and can't be scoped to limit access to the Azure DevOps data," explained Corina Arama, a senior program manager for Azure DevOps, in the announcement.

Consequently, Alternate Credentials users will lose support in March, and prospective users won't have access to it starting on Dec. 9. Here's Microsoft's end-of-support timeline for Alternate Credentials:

  • Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don't have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
  • In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
  • March 2, 2020 -- Start gradually disabling Alternate Credentials for all Azure DevOps organizations.

It might not be apparent that Alternate Credentials are being used. Consequently, Microsoft plans to send notices to both end users and administrators in mid-December if Alternate Credentials are being used.

Microsoft recommends using Personal Access Tokens (PATs) instead of Alternate Credentials. It's possible to limit the user's scope with PATs, according to this document. PATs is a requirement when using some non-Microsoft tools to access Azure DevOps Services, the document explained:

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

IT pros can check the Azure DevOps Portal under "User Settings" to see if Alternate Credentials was configured. It's possible to turn off the Alternate Credentials policy to see its effects, but "turning the policy off is reversible until December 8, 2019," Microsoft warned.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube