- Connect to Azure AD and use MFA
- Azure DevOps can also use AAD Conditional Access
- You can require conditions, such as security group membership, location and network identity, a specific OS, an enabled device in a management system, and so on.
- If possible use AD Groups not individual user accounts
- Note: Nested groups is currently not supported
- If relevant consider limiting "shadow IT" by restricting organization creation via Azure AD tenant policy
- Consider connecting to Express Route
- User Azure DevOps Audit feature
- Azure AD https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops
- Conditional Access https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops
- ExpressRoute https://devblogs.microsoft.com/devops/expressroute-for-azure-devops
- Azure DevOps Audit https://docs.microsoft.com/en-us/azure/devops/organizations/settings/azure-devops-auditing?view=azure-devops
- Restrict organization creation via Azure AD tenant policy [https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/azure-ad-tenant-policy-restrict-org-creation?view=azure-devops] 5