Recently I came across a nice feature in Azure DevOps that can show you all Azure DevOps organizations connected to your Azure Active Directory. If you go to your Azure DevOps Organization and navigate to “Azure Active Directory” there is a button to find all organizations connected to your AAD.
This typically involves a couple of organizations you are a member of but I was shocked to find out that some companies actually have a lot more then they are aware of. This is in the hundreds! I am not completely sure what the path is for people to get to create one but my best guess is that they logon the first time without the proper Azure DevOps URL, which then sends them to their profile page. From there the most prominent way forward is to create a new organization.
If you continue down this path you will see that you can create a organization and Azure DevOps suggests a name, containing 4 digits. This completely matches most hits I see when we check the list of organizations created.
My guess is that most users completely ignore this newly created organization while because after login they also see the “correct” organization(s) in their menu.
I think most organizations and Azure DevOps administrators want to restrict their users in creating new organizations that are connected to the AAD. Or don’t want their users creating (even public) in “shadow-it” Azure DevOps organizations.
Luckily Microsoft has published new documentation that helps restricting organization creation by enforcing a policy!
Read all about this here: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops#prerequisites
One Reply to “Prevent “shadow-it” Azure DevOps organizations”