Query Details

Azure DevOps - Organization Policy - SSH Authentication

Azure Dev Ops SSH Authentication

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyName == "Policy.DisallowSecureShell"
| where PolicyValue == "ON"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Azure DevOps - Organization Policy - SSH Authentication

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1133Initial Access: Brute Force: External Remote Serviceshttps://attack.mitre.org/techniques/T1133/

Description

The Azure DevOps SSH Authentication setting allows you to enable applications to connect to your organization's Git repos through SSH.

Use the below query to identify when SSH Authentication is enabled in Azure DevOps

References

Microsoft Sentinel

Explanation

This KQL query is designed to monitor Azure DevOps for changes in the SSH Authentication policy. Specifically, it identifies when the policy that disallows SSH (Secure Shell) connections is turned on. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AzureDevOpsAuditing table, which logs various operations and changes within Azure DevOps.

  2. Filter Operations: The query looks for entries where the operation name is "OrganizationPolicy.PolicyValueUpdated". This indicates that a policy value has been updated.

  3. Extract Policy Details: It extracts the policy name and value from the data, specifically focusing on the policy named "Policy.DisallowSecureShell".

  4. Check Policy Status: It filters for instances where the policy value is "ON", meaning the policy to disallow SSH connections has been enabled.

  5. Output Information: The query outputs the time of the change, the user who made the change (ActorUPN), their IP address, the policy name, the policy value, and the scope of the policy change.

In essence, this query helps administrators track when SSH access is being restricted in Azure DevOps, which is crucial for maintaining security and compliance within the organization.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicySSHAuthenticationGitReposApplicationsConnectionSecurityPoliciesMicrosoftSentinel

Operators

AzureDevOpsAuditingwhereextendtostringproject

MITRE Techniques

Actions

GitHub