security - How can we protect data in VSTS from access via the API? -

context: have vsts account https://blahblahblah.visualtudio.com have configured block outside access using azure premium conditional access , specifying public ips of our work network. interactive access blocked clients outside internal network.

but not block personal access tokens (pats). nor see setting disable or block use of pats. pats can allow access of data in our vsts account via rest api. without mechanism azure ad premium conditional access (whitelist), in world access or modify our data merely stealing pat. seems huge security hole me. missing control vulnerability?

ideally, have whitelist in vsts instead of having rely on azure ad premium. vsts service block both interactive , api calls did not originate in our designated safe locations. not exist far know.

so, how can protect our data users out in world might access our account data via api path , stolen pat?

you can disable basic authentication , alternate credentials, disable few features on vsts (like ssh git , git access tools don't support oauth workflow).

personal access token cannot disabled way unfortunately. though have people limit scope tokens , have them create limited time tokens.

it's in future integration aad tighter , able check aad conditional access.

another important note: once user has logged on using aad, can take laptop/device them location. long aad authentication still valid, not blocked access other location. conditional access checked upon login , renewal of token in case of vsts far know.

right due diligence on side of users can prevent unauthorized access account. have them treat pat same way treat other important secret information. use short duration pat's, limit scope needed , store them securely, in password vault lastpass or keepass.

ps: in cloud world machines regularly new ip addresses assigned , ipv6 make harder single out groups of machines, pure ip restrictions not way keep data safe. ip 1 of things relatively spoofed or hidden.