Securing Your Visual Studio Online Account with Multi-Factor Authentication

For several months now, we have been on the path of going through the many audits & initiatives to get the various set of compliance certifications for Visual Studio Online.  The underlying infrastructure in Azure has been certified which really helps us tremendously but as a service on top of the infrastructure, Visual Studio Online still needs to go through the proper audits and the process.  One of the things we wanted to do was make sure we were transparent with our data protection procedures, and Jeff Beehler wrote a great whitepaper that dives into the details if you are interested:

Additionally, Brian Harry announced yesterday that Visual Studio Online is past a significant milestone with receiving the ISO 27001 certification and adding the European Model Clauses to our service terms.  This is really great and are public proof points of our internal data procedures.  We will continue down that journey.

Yesterday, I was leading a briefing with one of our large enterprise customers in our Microsoft Executive Briefing Center here in Redmond and we talked a lot about data security.  One of the things that was brought up was support for multi-factor authentication.  I was really happy to mention to them that we do have support with Visual Studio Online for multi-factor authentication when using Azure Active Directory and two-factor authentication when you are using Microsoft Accounts.

In a nutshell, multi-factor authentication is “a security system that requires more than one form of authentication to verify the legitimacy of a transaction.”  In the case of using Visual Studio Online, we want to have better mechanisms for verifying  person who is logging in to participate in your source code, work item tracking, test cases, etc.  With multi-factor authentication strategies, your team members not only need

Identity Strategies with Visual Studio Online

Let’s take a step back, and look at the two options you can use for authentication & identity for user accounts in Visual Studio Online:

  1. Microsoft Accounts (formerly known as Windows Live IDs, Passport accounts, etc.) – These accounts are the ones that you typically use with many consumer-based services at Microsoft like Skype, OneDrive,, XBox Live, logging into Windows, and even logging into Visual Studio to roam your personal settings.  You can manage your Microsoft account or create a new one at
  2. Azure Active Directory – This is an Active Directory tenant that sits within Microsoft Azure that can either be completely cloud-based identities or for many organizations, they will setup directory synchronization with their on-premises Active Directory to use the same accounts & passwords.  There are also some key things to note about this approach:
    • If you are using Office 365, you already have an Azure Active Directory tenant.  Here are the steps for how you can add you Office 365 AAD tenant to you Azure subscription to manage.
    • You can add Microsoft Accounts (from #1 above) to your Azure Active Directory tenant in addition to your regular Active Directory user accounts.  It allows for a nice blended model.  This is nice because you don’t have to necessarily create a new Active Directory account for them.
    • The Azure Active Directory administrator gets to ensure “who” shows up in that directory including external collaborators.  You can remove them when they are no longer needed or shut off their access at the directory endpoint.
    • The Azure Active Directory administrator can still set security policies on all of the accounts in the directory.

Diagram of Visual Studio Online with Azure Active Directory Accounts

If you would like more information about how to setup your Visual Studio Online account to use the Azure Active Directory method from #2 above, we have a walkthrough available here:  Manage Organization Access for Visual Studio Online.

Configuring Two-Factor Authentication with Microsoft Accounts

Setting up two-factor authentication for your Microsoft Account is helpful to secure access to all of your Microsoft services like Skype,, OneDrive, XBox Live, and Visual Studio Online.  Here’s an overview of the steps  :

  1. Sign in to your Microsoft account.
  2. Because you're changing sensitive info, you might be prompted to enter a security code. Check your phone or alternate email for the code, enter it, and tap or click Submit.
  3. Under Password and security info, tap or click Edit security info.
  4. Under Two-step verification, tap or click Set up two-step verification.
  5. Tap or click Next, and then follow the instructions.

    If you need to add or verify any security info before you can turn on two-step verification, Microsoft will prompt you with a few simple steps to do so.

The key to remember with this approach is that each of your team members will need to enable this for their accounts or you can take the approach to only enable it on your administrator accounts.

Authy for Two-Factor Authentication with Visual Studio Online and Microsoft AccountsAuthy and Google Authenticator

You can have the Microsoft Account system text you as the second authentication factor or you can use an app on your phone & computer to generate the temporary secure codes for you using QR Codes.  One popular app is Google Authenticator.  You can find many that follow the same standard that Google Authenticator including my personal favorite:  Authy.

Authy has a clean interface and just works well with syncing with the phone app & my trusted computers.  It works everywhere that Google Authenticator works.

Configuring Multi-Factor Authentication with Azure Active Directory User Accounts

There are several options included with Azure Active Directory.  The overview on setting up multi-factor authentication for Azure Active Directory is a great place to start exploring the many options.  You can then move on to the actual steps to enable multi-factor authentication.

One of the really nice things with this approach is that the administrator for the directory is able to specify which accounts require multi-factor authentication

By offering the following options, Azure Multi-Factor Authentication provides flexibility for users and backup options if users cannot pass authentication by using their preferred method:

  • Multi-Factor Authentication apps are available for Windows Phone, Android, and IOS devices. Users can download the free app from the device store and activate it by using a code that they get during setup. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cellular or Wi-Fi access is required for installing and setting up the app. After the app is installed, it can operate in the following modes to provide the additional security that a multi-factor authentication service can provide:
    • Notification. In this mode, the Multi-Factor Authentication app prevents unauthorized access to accounts and stops fraudulent transactions. It accomplishes this by using a push notification to the phone or registered device. The user simply views the notification, and if it is legitimate, selects Authenticate. Otherwise, the user can choose to deny, or choose to deny and report, the fraudulent notification. For information about reporting fraudulent notifications, see How to configure and use Fraud Alert for Azure Multi-Factor Authentication.
    • One-Time Passcode. In this mode, the Multi-Factor Authentication app can be used as software token to generate an Open Authentication (OATH) passcode. The user can then enter this passcode along with the user name and password to provide the second form of authentication. This option is useful in instances of spotty phone coverage.
  • Automated phone calls can be placed by the Multi-Factor Authentication service to any phone, whether landline or mobile. The user simply answers the call and presses the pound key (#) on the phone to complete the sign-in.
  • Text messages can be sent by the Multi-Factor Authentication service to any mobile phone. Each text message contains a one-time passcode. The user is prompted to either reply to the text message by using the passcode or enter the passcode on the sign-in screen.


Let us know if you have any other questions!

Ed Blankenship

New Work Item Tag Manager Visual Studio Extension

Happy Holidays!  Before you go off on a break, I found out there is a new Visual Studio extension available: Tag Admin for Visual Studio 2015.  It’s a pretty nice tool for helping you manage work item tags for either your Team Foundation Server or your Visual Studio Online account.  It’s really helpful for beginning to see which tags are in use and also allows you to rename/merge & delete tags.  You can also take a look at how many and a list of work items that are using a specific tag.  Simple & to the point!

VSO Tag Admin for Visual Studio 2015  VSO Tag Admin for Visual Studio 2015

Here is a demo video of Tag Admin in action:

Tip of the hat to @onlyutkarsh and @arora_tarun for releasing this great tool!


Happy Holidays!

Ed Blankenship

My First MSDN Magazine Article on Visual Studio Online

I was very happy to see that my first article for the MSDN Magazine has appeared in this month’s edition!  If you have been hoping to get some more information, take a look at your magazine in the mail this month or it’s available in the digital edition as well below).  Let me know if you have any other questions in the meantime!

Introducing Visual Studio Online
by Ed Blankenship

Whether you’re part of a team or you’re a team of one, with Visual Studio Online you can easily plan, create, construct, build, test, and monitor seriously demanding applications, from anywhere. You don’t need a large infrastructure team, and you don’t need to touch a single server. As someone who has performed hundreds of Team Foundation Server (TFS) installations and upgrades as a consultant, I love how the drudgery of that kind of routine maintenance is now a thing of the past. Visual Studio Online is updated with the newest features automatically and continuously, so you can focus on what you need to do most: construct your applications!

I’m often asked, “Isn’t Visual Studio Online just TFS in the cloud?” The answer is yes and no…

Work Item Charts

Thanks a ton again to Andrew Clear and Cheryl Hammond for all of their help with the article!


Ed Blankenship

Announcing Visual Studio Online

We have been up early this morning and late last night with getting ready for updates to the new website, Windows Azure, and the now formerly known as Team Foundation Service.  Hopefully you are watching the Visual Studio 2013 Launch Event where you have just learned that we have announced a new set of services for developers and development teams:  Visual Studio Online.  It has really been great to be working so closely with Visual Studio Online at Microsoft! 

Visual Studio Online Logo

There are quite a few announcements this morning that I’ll continue to follow-up on over the next few weeks.  Visual Studio Online is really about where Visual Studio is going in a world of services for developers & development teams.  It’s really the connected piece to Visual Studio just like Office is to Office 365 & SkyDrive.  It’s also an easy way to get all of the ALM services you need quickly for you and your team without having to worry about infrastructure & upgrading.  Visual Studio Online is also a way for Microsoft to provide additional cloud-based services for development teams.  We have a few examples of those types of shared services today.

Some additional news we have announced are that individuals and teams of five or less can create free Visual Studio Online accounts.  MSDN Subscribers also now have Visual Studio Online included as an additional benefit.  There are an additional set of Visual Studio Online plans available for non-MSDN subscribers after the fifth user account.  Additionally, the Visual Studio Online Professional plan even includes the ability to “rent” the Visual Studio Professional IDE.  Early adopters of Team Foundation Service are also grandfathered with “Early Adopter” status for 90 days which means you can continue to use Visual Studio Online without any additional costs during the early adopter period.  During the “commercial preview” of Visual Studio Online, all plans & services are reduced by 50% of their normal rates.

Each Visual Studio Online account has a set of consumable shared services as well which include a free base amount like 60 minutes of cloud build usage and 15,000 virtual user minutes of the cloud load testing service.

Another aspect of Visual Studio Online is that it is now integrated with Windows Azure so you can have a more consolidated management experience and simplified billing experience.  You can create a new Visual Studio Online account or link to an existing one in the Windows Azure Management Portal.

Connecting Visual Studio Online Account to Windows Azure

Tip:  All Visual Studio Online user plans and shared services receive the same discounts that your Windows Azure account receives based on your commitment level.  It’s also included in the commitment level so you can reach those commitment levels more easily and receive the same discount across all Windows Azure resources including infrastructure, storage, and now developer services.  The lowest “walk-up” discount level is 20% based on paying monthly and a $500 per month commitment on all Windows Azure & Visual Studio Online resources.  It goes up from there and if you are an Enterprise, you can get some pretty awesome discounts when adding an Windows Azure Commitment to your Enterprise Agreement.

If you want to learn more, there is an Introduction to Visual Studio Online overview video available at the Visual Studio 2013 Virtual Launch site.  I will update the blog post and include the link when it becomes live.

There is plenty more to come!  Keep up to date on the latest features & services that are being added to Visual Studio Online here: 

Have fun and let me know if you have any questions!

Ed Blankenship