Merge pull request #307655 from MicrosoftDocs/main

Auto Publish – main to live - 2025-11-01 11:00 UTC

Author: learn-build-service-prod[bot]

articles/dev-box/dev-box-windows-365-announcement.md

@@ -29,7 +29,7 @@ Effective November 1, 2025, the following changes will take place:
 
 - The Microsoft Dev Box service stops accepting net new customers. 
     - *Net new customers* are defined as those with no prior Dev Box deployment in any form. 
-    - As features are integrated into Windows 365 and made available publicly, Customers interested in continuing to leverage these capabilities should reach out to their Microsoft account team. 
+    - As features are integrated into Windows 365 and become publicly available, customers interested in using them should contact their Microsoft account team. 
 - There's no immediate change to existing customers 
     - Customers who have run a POC, experimented, or begun configuring Dev Box are considered existing customers, and they can continue using and scaling their current Dev Box deployments. 
     - If you plan to start using or scaling Dev Boxes into additional tenants, submit a request through [Azure Support](https://go.microsoft.com/fwlink/p/?linkid=2202692&clcid=0x409) to get your new tenants allowlisted.  
@@ -40,7 +40,8 @@ As new developer capabilities are released in Windows 365, Microsoft will provid
 
 ## Key Actions for Customers 
 
-- **No Immediate Action Required:** Continue using and scaling your Dev Box deployments as usual. Migration resources will be provided as new features roll out in Windows 365. 
+- **Existing customers:** Continue using the service as normal. No action is required. You can continue to use and scale your Dev Box deployments as usual. Migration resources will be provided as new features roll out in Windows 365. 
+- **New customers:** Starting November 1, 2025, Microsoft Dev Box no longer accepts new customers. If you previously evaluated or tested Dev Box and need to onboard after November 1, 2025, request an exception through [Name of form](https://aka.ms/link-to-form).
 - **Stay Informed:** Monitor communications from Microsoft and your account team for updates. 
 - **Interested in Previewing New Features?** Express your interest to your Microsoft account team. 
 

articles/dev-box/how-to-conditional-access-dev-tunnels-service.md

@@ -1,56 +1,50 @@
 ---
-title: Configure Conditional Access Policies for Dev Tunnels
-description: Learn how to configure conditional access policies for the Dev tunnels service in Microsoft Entra ID to secure remote development environments and restrict access based on device management and IP ranges.
+title: Secure Dev Tunnel Access with Conditional Policies
+description: Learn how to configure conditional access policies for the Dev Tunnels service in Microsoft Entra ID to secure remote development environments and restrict access based on device management and IP ranges.
 author: RoseHJM
 contributors:
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 10/31/2025
 ms.author: rosemalcolm
 ms.reviewer: rosemalcolm
+ai-usage: ai-assisted
+ms.custom: peer-review-program
 ---
 
-# Configure conditional access policies for Dev tunnels
+# Secure Dev Tunnel access with conditional policies
 
-Microsoft Dev Box gives you an alternative connectivity method on top of Dev tunnels. You can develop remotely while coding locally or keep development going during Azure Virtual Desktop (AVD) outages or poor network performance. Many large enterprises using Dev Box have strict security and compliance policies, and their code is valuable to their business. Restricting Dev tunnels with conditional access policies is crucial for these controls.
+Dev Tunnels offer a streamlined way to connect to your Dev Box directly from Visual Studio Code, eliminating the need to use separate applications like Windows App or a browser. This method provides a more immediate and integrated development experience. Unlike traditional connection methods, Dev Tunnels simplify access and enhance productivity. 
 
-Conditional access policies for the Dev tunnels service:
+Many large enterprises that use Dev Box have strict security and compliance policies, and their code is valuable to their business. This article explains how to configure conditional access policies to secure Dev Tunnel usage in your environment.
 
-- Let Dev tunnels connect from managed devices, but deny connections from unmanaged devices.
-- Let Dev tunnels connect from specific IP ranges, but deny connections from other IP ranges.
-- Support other regular conditional access configurations.
-- Apply to both the Visual Studio Code application and VS Code web.
-
-## Configure conditional access
-
-The conditional access policies work correctly for the Dev tunnels service. Because registering the Dev tunnels service app to a tenant and making it available to the conditional access picker is unique, this article documents the steps.
+## Prerequisites
 
-## Register Dev tunnels service to a tenant
+Before proceeding, ensure you have:
 
-According to [Application and service principal objects in Microsoft Entra ID](/entra/identity-platform/app-objects-and-service-principals?tabs=browser), a service principal is created in each tenant where an application is used. However, this doesn't apply to the Dev tunnels service. The Dev tunnels service is a Microsoft service, and the service principal is created in the Microsoft Entra ID tenant where the Dev tunnels service is registered. The Dev tunnels service app isn't registered to your tenant by default, so you need to register it manually.
+- Access to a Dev Box environment.
+- Visual Studio Code installed.
+- PowerShell 7.x or later (any version in the 7.x series is acceptable).
+- Appropriate permissions to configure conditional access policies in Microsoft Entra ID.
 
-Therefore, we're using [Microsoft.Graph PowerShell](/powershell/module/microsoft.graph.authentication/connect-mggraph?view=graph-powershell-1.0&preserve-view=true) to register the app to a tenant.
+## Benefits of conditional access for Dev Tunnels
 
-1. Install PowerShell 7.x
+Conditional access policies for the Dev Tunnels service:
 
-1. Follow [Install the Microsoft Graph PowerShell SDK | Microsoft Learn](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true) to install Microsoft.Graph PowerShell.
+- Let Dev Tunnels connect from managed devices, but deny connections from unmanaged devices.
+- Let Dev Tunnels connect from specific IP ranges, but deny connections from other IP ranges.
+- Support other regular conditional access configurations.
+- Apply to both the Visual Studio Code application and VS Code web.
 
-1. Run the following commands:
-    ```powershell
-    # Connect to Microsoft Graph
-    Connect-MgGraph -TenantId <TenantID> -Scopes "Application.ReadWrite.All"
-  
-    # Register the Dev tunnels service app to the tenant
-    $TunnelServiceAppId = "46da2f7e-b5ef-422a-88d4-2a7f9de6a0b2"
-    New-MgServicePrincipal -AppId $TunnelServiceAppId
-    ```
+> [!NOTE]
+> This article focuses on setting up conditional access policies specifically for Dev Tunnels. If you're configuring policies for Dev Box more broadly, see [Configure conditional access for Dev Box](how-to-configure-intune-conditional-access-policies.md).
 
-1. Go to "Microsoft Entra ID" -> "Manage" -> "Enterprise applications" to verify if the Dev tunnels service is registered.
+## Configure conditional access policies
 
-   :::image type="content" source="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-register-service.png" alt-text="Screenshot of the Enterprise applications page in Microsoft Entra ID, showing the Dev tunnels service registration." lightbox="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-register-service.png":::
+To secure Dev Tunnels with conditional access, you need to target the Dev Tunnels service using custom security attributes. This section guides you through the process of configuring these attributes and creating the appropriate conditional access policy.
 
-## Enable the Dev tunnels service for the conditional access picker
+## Enable the Dev Tunnels service for the conditional access picker
 
-The Microsoft Entra IDteam is working on removing the need to onboard apps for them to appear in the app picker, with delivery expected in May. Therefore, we aren't onboarding Dev tunnel service to the conditional access picker. Instead, target the Dev tunnels service in a conditional access policy using [Custom Security Attributes](/entra/identity/conditional-access/concept-filter-for-applications).
+The Microsoft Entra ID team is working on removing the need to onboard apps for them to appear in the app picker, with delivery expected in May. Therefore, we aren't onboarding Dev tunnel service to the conditional access picker. Instead, target the Dev tunnels service in a conditional access policy using [Custom Security Attributes](/entra/identity/conditional-access/concept-filter-for-applications).
 
 1. Follow [Add or deactivate custom security attribute definitions in Microsoft Entra ID](/entra/fundamentals/custom-security-attributes-add?tabs=ms-powershell) to add the following Attribute set and New attributes.
 
@@ -68,21 +62,22 @@ The Microsoft Entra IDteam is working on removing the need to onboard apps for t
 
 ## Testing
 
-1. Turn off the BlockDevTunnelCA
+1. Turn off the BlockDevTunnelCA policy.
 
-1. Create a DevBox in the test tenant and run the following commands inside it. Dev tunnels can be created and connected externally.
-```
-code tunnel user login --provider microsoft
-code tunnel
-```
+1. Create a Dev Box in the test tenant and run the following commands inside it. You can create and connect to Dev Tunnels externally.
 
-1. Enable the BlockDevTunnelCA.
+   ```powershell
+   code tunnel user login --provider microsoft
+   code tunnel
+   ```
 
-    1. New connections to the existing Dev tunnels can't be established. Test with an alternate browser if a connection has already been established.
+1. Turn on the BlockDevTunnelCA policy.
 
-    1. Any new attempts to execute the commands in step #2 will fail. Both errors are:
+   1. You can't establish new connections to the existing Dev Tunnels. If a connection is already established, test with an alternate browser.
 
-       :::image type="content" source="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-no-access.png" alt-text="Screenshot of error message when Dev tunnels connection is blocked by conditional access policy." lightbox="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-no-access.png":::
+   1. Any new attempts to execute the commands in step 2 fail. Both errors are:
+
+      :::image type="content" source="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-no-access.png" alt-text="Screenshot of error message when Dev tunnels connection is blocked by conditional access policy." lightbox="media/how-to-conditional-access-dev-tunnels-service/dev-tunnels-no-access.png":::
 
 1. The Microsoft Entra ID sign-in logs show these entries.
 
@@ -91,8 +86,11 @@ code tunnel
 ## Limitations
 
 With Dev Tunnels, the following limitations apply:
-- You can't configure conditional access policies for Dev Box service to manage Dev tunnels for Dev Box users.
-- You can't limit Dev tunnels that aren't managed by the Dev Box service. In the context of Dev Boxes, if the Dev tunnels GPO is configured **to allow only selected Microsoft Entra tenant IDs**, Conditional Access policies can also restrict self-created Dev tunnels.
+
+- **Policy assignment restrictions**: You can't configure conditional access policies for the Dev Box service to manage Dev Tunnels for Dev Box users. Instead, configure policies at the Dev Tunnels service level as described in this article.
+- **Self-created Dev Tunnels**: You can't limit Dev Tunnels that aren't managed by the Dev Box service. In the context of Dev Boxes, if the Dev Tunnels GPO is configured **to allow only selected Microsoft Entra tenant IDs**, conditional access policies can also restrict self-created Dev Tunnels.
+- **IP range enforcement**: Dev Tunnels might not support granular IP restrictions. Consider using network-level controls or consult your security team for alternative enforcement strategies.
 
 ## Related content
+- [Open a dev box in VS Code](how-to-set-up-dev-tunnels.md)
 - [Conditional Access policies](/entra/identity/conditional-access/concept-conditional-access-policies)

articles/dev-box/includes/note-windows-365-announcement.md

@@ -1,10 +1,17 @@
 ---
 author: RoseHJM
 ms.author: rosemalcolm
-ms.date: 09/16/2025
+ms.date: 10/30/2025
 ms.topic: include
 ms.service: dev-box
 ---
 
 > [!IMPORTANT]
-> Windows 365 will soon integrate Microsoft Dev Box features. For more information, see [Microsoft Dev Box capabilities are coming to Windows 365](../dev-box-windows-365-announcement.md).
+> **Microsoft Dev Box capabilities are coming to Windows 365**
+>
+> Starting November 1, 2025, Microsoft Dev Box no longer accepts new customers as we integrate Dev Box capabilities into Windows 365. 
+>
+> - **Existing customers:** Continue using the service as normal. No action is required.
+> - **New customers:** If you previously evaluated or tested Dev Box and need to onboard after November 1, 2025, reach out to your Microsoft account team.
+>
+> For more information, see [Microsoft Dev Box capabilities are coming to Windows 365](../dev-box-windows-365-announcement.md).