curib
commented
11 months ago Hi @asund, thank you for opening up this issue to share your request! In your organization, are devs mainly Window or Mac users?
Closed asund closed 3 months ago
curib
commented
11 months ago Hi @asund, thank you for opening up this issue to share your request! In your organization, are devs mainly Window or Mac users?
asund
commented
11 months ago Windows. Some remote machines might be Macs, but the hosts in this scenario will always be Windows under AD management. Thanks for taking my request!
rjbrown99
commented
10 months ago AD control / GPO is preferred as a first step. That covers the majority of use cases.
There is probably a way to think about this via DNS as well for non-Windows hosts. Could be an SRV record in the local domain (nodevtunnels.mydomain.com), disallowing name resolution for a specific external Microsoft host or hosts, etc. Won't be an airtight option but still better than having it on by default.
Beyond that, a set of Microsoft-suggested detective rules for something like Sentinel might be a useful way to alert the organization of the activity.
neelip
commented
6 months ago Hello @asund,
Thank you for sharing your IT department's needs regarding authentication methods. We're excited to let you know that we've introduced a new feature in our app that allows admins to use Windows group policies to enhance security. This feature is especially useful for managing login methods in Dev Tunnels within Visual Studio, Visual Studio Code's port forwarding, the devtunnel CLI, and the Visual Studio Code Remote - Tunnels extension.
To address your specific request, we've implemented the "Allowed only Microsoft Entra ID or MSA tenants" policy. This policy ensures that only users with the correct Microsoft Entra ID or MSA Tenant ID can use most commands, helping you block other authentication methods effectively.
We've also included an overview of other available policies to give you a better idea of what's possible. Please try out these new settings and share your feedback with us.
| Name in Policy Editor | Enforcement/Expected Behavior |
|---|---|
| "Disable Dev Tunnel" | All commands, with few exceptions, should be denied access when this policy is enabled by an admin. Exceptions: unset, echo, ping, user |
| "Allowed only Microsoft Entra ID or MSA tenants." | All commands, with few exceptions, should be denied access when this policy is enabled and the user's Tenant ID is not in the list of allowed Tenant IDs. Exceptions: unset, echo, ping, user |
| "Disable anonymous Tenant access" | Creating anonymous tunnels is disabled. This affects connecting or hosting to an existing tunnel with Anonymous access control. Impacted Scenarios: - Create/Update tunnel or port with +Anonymous[Connect] access control entry - Host/Connect to tunnel or port with +Anonymous[Connect] access control entry |
C:\Windows\PolicyDefinitions.TunnelsPolicies.admx file to this folder: Download fileC:\Windows\PolicyDefinitions\en-US.TunnelsPolicies.adml file to this folder: Download filegpupdate /force to ensure the policy files are configured.Dev Tunnels folder under the Administrative Templates folder.neelip
commented
3 months ago I'm closing this issue due to inactivity. Please feel free to open a new one if you still need assistance.
asund
commented
3 months ago Thank you for doing this, I'm still waiting on the outcome of my IT department's security meeting before I can use it.
My IT department would like to see a way to block access to authentication methods other than our Microsoft AD domain before they let me use this functionality. Could I request a policy setting to turn off GitHub authentication?