News

Microsoft Dropping Support for Alternate Credentials in Azure DevOps Services

Microsoft last week announced that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

That support change will start as early as this month for new users and for current users of Alternate Credentials by March. The change affects only Azure DevOps Services users because Alternate Credentials isn't currently supported on Azure DevOps Server.

Microsoft offers Alternate Credentials as part of the user authentication process to support organizations that connect with Azure DevOps Services using "legacy tools," but it's viewed as not the most secure approach. The main problem with it is that Alternate Credentials "never expire and can't be scoped to limit access to the Azure DevOps data," explained Corina Arama, a senior program manager for Azure DevOps, in the announcement.

Consequently, Alternate Credentials users will lose support in March, and prospective users won't have access to it starting on Dec. 9. Here's Microsoft's end-of-support timeline for Alternate Credentials:

  • Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don't have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
  • In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
  • March 2, 2020 -- Start gradually disabling Alternate Credentials for all Azure DevOps organizations.

It might not be apparent that Alternate Credentials are being used. Consequently, Microsoft plans to send notices to both end users and administrators in mid-December if Alternate Credentials are being used.

The company recommends using Personal Access Tokens (PATs) instead of Alternate Credentials. It's possible to limit the user's scope with PATs, according to this document. PATs is a requirement when using some non-Microsoft tools to access Azure DevOps Services, the document explained:

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

IT pros can check the Azure DevOps Portal under "User Settings" to see if Alternate Credentials was configured. It's possible to turn off the Alternate Credentials policy to see its effects, but "turning the policy off is reversible until December 8, 2019," Microsoft warned.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

comments powered by Disqus

Featured

  • Compare New GitHub Copilot Free Plan for Visual Studio/VS Code to Paid Plans

    The free plan restricts the number of completions, chat requests and access to AI models, being suitable for occasional users and small projects.

  • Diving Deep into .NET MAUI

    Ever since someone figured out that fiddling bits results in source code, developers have sought one codebase for all types of apps on all platforms, with Microsoft's latest attempt to further that effort being .NET MAUI.

  • Copilot AI Boosts Abound in New VS Code v1.96

    Microsoft improved on its new "Copilot Edit" functionality in the latest release of Visual Studio Code, v1.96, its open-source based code editor that has become the most popular in the world according to many surveys.

  • AdaBoost Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the AdaBoost.R2 algorithm for regression problems (where the goal is to predict a single numeric value). The implementation follows the original source research paper closely, so you can use it as a guide for customization for specific scenarios.

  • Versioning and Documenting ASP.NET Core Services

    Building an API with ASP.NET Core is only half the job. If your API is going to live more than one release cycle, you're going to need to version it. If you have other people building clients for it, you're going to need to document it.

Subscribe on YouTube