Securing Your Visual Studio Online Account with Multi-Factor Authentication

For several months now, we have been on the path of going through the many audits & initiatives to get the various set of compliance certifications for Visual Studio Online.  The underlying infrastructure in Azure has been certified which really helps us tremendously but as a service on top of the infrastructure, Visual Studio Online still needs to go through the proper audits and the process.  One of the things we wanted to do was make sure we were transparent with our data protection procedures, and Jeff Beehler wrote a great whitepaper that dives into the details if you are interested:

Additionally, Brian Harry announced yesterday that Visual Studio Online is past a significant milestone with receiving the ISO 27001 certification and adding the European Model Clauses to our service terms.  This is really great and are public proof points of our internal data procedures.  We will continue down that journey.

Yesterday, I was leading a briefing with one of our large enterprise customers in our Microsoft Executive Briefing Center here in Redmond and we talked a lot about data security.  One of the things that was brought up was support for multi-factor authentication.  I was really happy to mention to them that we do have support with Visual Studio Online for multi-factor authentication when using Azure Active Directory and two-factor authentication when you are using Microsoft Accounts.

In a nutshell, multi-factor authentication is “a security system that requires more than one form of authentication to verify the legitimacy of a transaction.”  In the case of using Visual Studio Online, we want to have better mechanisms for verifying  person who is logging in to participate in your source code, work item tracking, test cases, etc.  With multi-factor authentication strategies, your team members not only need

Identity Strategies with Visual Studio Online

Let’s take a step back, and look at the two options you can use for authentication & identity for user accounts in Visual Studio Online:

  1. Microsoft Accounts (formerly known as Windows Live IDs, Passport accounts, etc.) – These accounts are the ones that you typically use with many consumer-based services at Microsoft like Skype, OneDrive,, XBox Live, logging into Windows, and even logging into Visual Studio to roam your personal settings.  You can manage your Microsoft account or create a new one at
  2. Azure Active Directory – This is an Active Directory tenant that sits within Microsoft Azure that can either be completely cloud-based identities or for many organizations, they will setup directory synchronization with their on-premises Active Directory to use the same accounts & passwords.  There are also some key things to note about this approach:
    • If you are using Office 365, you already have an Azure Active Directory tenant.  Here are the steps for how you can add you Office 365 AAD tenant to you Azure subscription to manage.
    • You can add Microsoft Accounts (from #1 above) to your Azure Active Directory tenant in addition to your regular Active Directory user accounts.  It allows for a nice blended model.  This is nice because you don’t have to necessarily create a new Active Directory account for them.
    • The Azure Active Directory administrator gets to ensure “who” shows up in that directory including external collaborators.  You can remove them when they are no longer needed or shut off their access at the directory endpoint.
    • The Azure Active Directory administrator can still set security policies on all of the accounts in the directory.

Diagram of Visual Studio Online with Azure Active Directory Accounts

If you would like more information about how to setup your Visual Studio Online account to use the Azure Active Directory method from #2 above, we have a walkthrough available here:  Manage Organization Access for Visual Studio Online.

Configuring Two-Factor Authentication with Microsoft Accounts

Setting up two-factor authentication for your Microsoft Account is helpful to secure access to all of your Microsoft services like Skype,, OneDrive, XBox Live, and Visual Studio Online.  Here’s an overview of the steps  :

  1. Sign in to your Microsoft account.
  2. Because you're changing sensitive info, you might be prompted to enter a security code. Check your phone or alternate email for the code, enter it, and tap or click Submit.
  3. Under Password and security info, tap or click Edit security info.
  4. Under Two-step verification, tap or click Set up two-step verification.
  5. Tap or click Next, and then follow the instructions.

    If you need to add or verify any security info before you can turn on two-step verification, Microsoft will prompt you with a few simple steps to do so.

The key to remember with this approach is that each of your team members will need to enable this for their accounts or you can take the approach to only enable it on your administrator accounts.

Authy for Two-Factor Authentication with Visual Studio Online and Microsoft AccountsAuthy and Google Authenticator

You can have the Microsoft Account system text you as the second authentication factor or you can use an app on your phone & computer to generate the temporary secure codes for you using QR Codes.  One popular app is Google Authenticator.  You can find many that follow the same standard that Google Authenticator including my personal favorite:  Authy.

Authy has a clean interface and just works well with syncing with the phone app & my trusted computers.  It works everywhere that Google Authenticator works.

Configuring Multi-Factor Authentication with Azure Active Directory User Accounts

There are several options included with Azure Active Directory.  The overview on setting up multi-factor authentication for Azure Active Directory is a great place to start exploring the many options.  You can then move on to the actual steps to enable multi-factor authentication.

One of the really nice things with this approach is that the administrator for the directory is able to specify which accounts require multi-factor authentication

By offering the following options, Azure Multi-Factor Authentication provides flexibility for users and backup options if users cannot pass authentication by using their preferred method:

  • Multi-Factor Authentication apps are available for Windows Phone, Android, and IOS devices. Users can download the free app from the device store and activate it by using a code that they get during setup. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cellular or Wi-Fi access is required for installing and setting up the app. After the app is installed, it can operate in the following modes to provide the additional security that a multi-factor authentication service can provide:
    • Notification. In this mode, the Multi-Factor Authentication app prevents unauthorized access to accounts and stops fraudulent transactions. It accomplishes this by using a push notification to the phone or registered device. The user simply views the notification, and if it is legitimate, selects Authenticate. Otherwise, the user can choose to deny, or choose to deny and report, the fraudulent notification. For information about reporting fraudulent notifications, see How to configure and use Fraud Alert for Azure Multi-Factor Authentication.
    • One-Time Passcode. In this mode, the Multi-Factor Authentication app can be used as software token to generate an Open Authentication (OATH) passcode. The user can then enter this passcode along with the user name and password to provide the second form of authentication. This option is useful in instances of spotty phone coverage.
  • Automated phone calls can be placed by the Multi-Factor Authentication service to any phone, whether landline or mobile. The user simply answers the call and presses the pound key (#) on the phone to complete the sign-in.
  • Text messages can be sent by the Multi-Factor Authentication service to any mobile phone. Each text message contains a one-time passcode. The user is prompted to either reply to the text message by using the passcode or enter the passcode on the sign-in screen.


Let us know if you have any other questions!

Ed Blankenship

Friday, 16 January 2015 17:46:49 (Pacific Standard Time, UTC-08:00)
So how will this effect build servers running either on premises or in Azure IaaS?
Wednesday, 11 January 2017 21:05:40 (Pacific Standard Time, UTC-08:00)
Ed, I have a question related to securing VSO: What auditing and logging options exist for tracking user activities within VSO? Can I produce an audit log of a programmer's activities, or all activities (code check ins, pulls, viewing code, etc.)?
Tuesday, 28 February 2017 22:14:13 (Pacific Standard Time, UTC-08:00)
Really an awesome post. I wondered by reading this blog post. Thanks a lot for posting this unique post which you have shared with us. Keep on posting like this exclusive post with us.
Sunday, 26 March 2017 04:20:53 (Pacific Standard Time, UTC-08:00)
<a href="">jio4gvoice</a>
Sunday, 26 March 2017 04:22:22 (Pacific Standard Time, UTC-08:00)
(will show your gravatar icon)
Home page

Comment (Some html is allowed: a@href@title, b, blockquote@cite, em, i, strike, strong, sub, sup, u) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

[Captcha]Enter the code shown (prevents robots):

Live Comment Preview