Prevent “shadow-it” Azure DevOps organizations

Recently I came across a nice feature in Azure DevOps that can show you all Azure DevOps organizations connected to your Azure Active Directory. If you go to your Azure DevOps Organization and navigate to “Azure Active Directory” there is a button to find all organizations connected to your AAD.

Download a list of organizations with from the Azure Active Directory page

This typically involves a couple of organizations you are a member of but I was shocked to find out that some companies actually have a lot more then they are aware of. This is in the hundreds! I am not completely sure what the path is for people to get to create one but my best guess is that they logon the first time without the proper Azure DevOps URL, which then sends them to their profile page. From there the most prominent way forward is to create a new organization.

If you continue down this path you will see that you can create a organization and Azure DevOps suggests a name, containing 4 digits. This completely matches most hits I see when we check the list of organizations created.

Creating a new Azure DevOps organization is really easy!

My guess is that most users completely ignore this newly created organization while because after login they also see the “correct” organization(s) in their menu.

I think most organizations and Azure DevOps administrators want to restrict their users in creating new organizations that are connected to the AAD. Or don’t want their users creating (even public) in “shadow-it” Azure DevOps organizations.

Luckily Microsoft has published new documentation that helps restricting organization creation by enforcing a policy!

Read all about this here: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops#prerequisites

One Reply to “Prevent “shadow-it” Azure DevOps organizations”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.