Query Details

Azure DevOps - Organization Policy - Allow Public Projects

Azure Dev Ops Allow Public Projects

Query

AzureDevOpsAuditing
| where OperationName == "OrganizationPolicy.PolicyValueUpdated"
| extend PolicyName = tostring(Data.PolicyName)
| extend PolicyValue = tostring(Data.PolicyValue)
| where PolicyValue == "ON"
| where PolicyName == "Policy.AllowAnonymousAccess"
| project TimeGenerated, ActorUPN, IpAddress, PolicyName, PolicyValue, ScopeDisplayName

About this query

Explanation

This KQL query is designed to monitor Azure DevOps for changes in organization policy settings, specifically focusing on when the "Allow Public Projects" option is enabled. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the AzureDevOpsAuditing table, which logs various operations and changes within Azure DevOps.

  2. Filter Operation: The query filters for operations where the policy value has been updated, specifically looking for the operation named "OrganizationPolicy.PolicyValueUpdated".

  3. Extract Policy Details: It extracts the policy name and value from the data, converting them to string format for easier handling.

  4. Check for Public Access: The query specifically checks if the policy value is set to "ON" for the policy named "Policy.AllowAnonymousAccess". This indicates that the option to allow public projects is enabled.

  5. Select Relevant Information: Finally, it projects (selects) relevant information such as the time the change was made (TimeGenerated), the user who made the change (ActorUPN), their IP address (IpAddress), the policy name, the policy value, and the scope or context in which the change was made (ScopeDisplayName).

In summary, this query helps identify when the setting to allow public access to projects in Azure DevOps is turned on, which could be a security concern if not intended.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

AzureDevOpsAuditing

Keywords

AzureDevOpsOrganizationPolicyProjectsRepositoriesAccessUsers

Operators

AzureDevOpsAuditingwhereextendtostringproject

MITRE Techniques

Actions

GitHub