Validate SSH Key Expiration.

Why This Matters

SSH keys grant persistent access to Azure DevOps resources. If keys lack expiration dates or remain valid indefinitely, a compromised or forgotten key can be exploited by attackers to gain unauthorized access, modify code, or exfiltrate sensitive data. Enforcing expiration ensures that keys are regularly rotated, reducing the window of exposure for any single credential.

What Aether365 Checks

Aether365 verifies that all SSH keys associated with Azure DevOps organizations have a configured expiration date. This check appears in the Aether365 dashboard under the microsoft-365 security checks list.

How to Fix

Currently, Azure DevOps does not provide a native setting to enforce SSH key expiration for all users. To manually manage SSH key expiration: