Limit job authorization scope to current project for non-release pipelines.

Why This Matters

When job authorization scope is not limited to the current project for non-release pipelines, a pipeline job could potentially access resources across multiple projects within your Azure DevOps organization. This widens the attack surface, as a compromised pipeline in one project might leverage elevated permissions to tamper with secrets or configurations in other projects. Administrators should care because restricting scope to the current project enforces the principle of least privilege, reducing the risk of lateral movement and unauthorized resource access.

What Aether365 Checks

Aether365 verifies that non-release pipelines have their job authorization scope restricted to the current project only. This check appears in the Aether365 dashboard under the microsoft-365 security checks, flagging any pipelines where the scope is set to "current organization" or a broader scope.