Azure DevOps - Organization Policy - Enable IP Conditional Access Policy Validation
Azure Dev Ops Enable IP Conditional Access Policy Validation
Query
AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "OFF"
| where PolicyName == "Policy.EnforceAADConditionalAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayNameAbout this query
Explanation
This KQL query is designed to identify instances where the "IP Conditional Access Policy Validation" has been disabled in Azure DevOps. Here's a simple breakdown of what the query does:
-
Data Source: The query pulls data from the
AzureDevOpsAuditingtable, which contains audit logs for Azure DevOps activities. -
Filter by Operation: It looks for operations where the policy value has been updated, specifically those with the operation name
OrganizationPolicy.PolicyValueUpdated. -
Extract Policy Details: The query extracts the policy name and value from the data, converting them to string format for easier handling.
-
Check for Disabled Policy: It filters the results to find cases where the policy value is set to "OFF", indicating that the policy has been disabled.
-
Specific Policy: It further narrows down the results to only include changes to the "Policy.EnforceAADConditionalAccess", which is the policy related to enforcing IP Conditional Access.
-
Project Relevant Information: Finally, it selects and displays specific columns of interest: the time the change was generated (
TimeGenerated), the user who made the change (ActorUPN), the IP address from which the change was made (IpAddress), the policy name and value, and the scope of the change (ScopeDisplayName).
This query helps administrators monitor and ensure that critical security policies, like IP Conditional Access, are not inadvertently or maliciously disabled in their Azure DevOps environment.
Details

Alex Verboon
Released: April 16, 2026
Tables
Keywords
Operators