Configure upstream behavior

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019 | TFS 2018

With Azure Artifacts upstream sources, developers gain the convenience of utilizing a unified feed to both publish and consume packages from Artifact feeds and popular public registries like or Previously, Artifact feeds combined a list of available package versions from both the feed itself and all the configured upstream sources.

An illustration showing the content of a feed.

Upstream behavior is a feature that enables developers to choose if they want to consume externally sourced package versions. It governs which packages are accessible from the public registries for specific packages.

Once upstream behavior is enabled, when a package is published to your Azure Artifacts feed, any version from the public registry will be blocked and not made available for download.

This approach adds an extra layer of security by preventing potential exposure to malicious packages that might have infiltrated the public registries.

However, users still have the option to deactivate the upstream behavior setting, allowing them to consume packages from the public registries if they prefer to do so.


The new behavior will not impact any package versions that are currently in use, as they are preserved within the feed's @local view.

Applicable scenarios

The following section illustrates various common scenarios where the upstream behavior is triggered to block externally sourced package versions, and other scenarios where there's no need to block access to public packages.

Public versions are blocked

Private package version made public

In this scenario, a team has a private package that was made public. The upstream behavior in this case will be triggered to block any new public versions (untrusted packages).

An illustration showing an internal package version made public.

Having both private and public packages

In this scenario, if a team uses a combination of private and public packages, enabling the upstream behavior blocks any new package versions from the public registry.

An illustration showing available private and public packages.

Public versions won't be blocked

All packages are private*

If all existing packages are private, and the team has no plans to use any public packages, the new upstream behavior will have no effect on the team's workflow in this scenario.

An illustration showing feed with only private packages.

All packages are public

In this scenario, if the team exclusively consumes public packages, whether from the public registry or other open-source repositories, the new upstream behavior won't impact their workflow in any way.

An illustration showing feed with only public packages.

Public package made private

In this situation, when a public package is converted to a private package, the new upstream behavior won't influence the team's workflow in any way.

An illustration showing a package converted from public to private.

Allow external versions


You must be a feed Owner or a feed Administrator to allow externally sourced versions. See Feed permissions for more details.

  1. Sign in to your Azure DevOps organization, and then navigate to your project.

  2. Select Artifacts, and then select your feed from the dropdown menu.

  3. Select your package, and then select the ellipsis button for more options. Select Allow externally-sourced versions.

    A screenshot showing how to allow externally sourced versions.

  4. Select the toggle button to allow external versions. Select Close when you're done.

    A screenshot showing how to enable external versions.

Allow external versions using the REST API

Allow external versions using PowerShell

  1. Create a personal access token with Packaging > Read, write, & manage permissions.

    Screenshot showing how to select packaging permissions.

  2. Create an environment variable for your personal access token.

  3. Convert your personal access token to baser64 encoded string and construct the HTTP request header.

    $token = [Convert]::ToBase64String(([Text.Encoding]::ASCII.GetBytes("username:$env:PatVar")))
    $headers = @{
        Authorization = "Basic $token"
  4. Construct your endpoint url. Example: //

    • Project-scoped feed:

      $url = "<ORGANIZATION_NAME>/<PROJECT_NAME>/_apis/packaging/feeds/<FEED_NAME>/<PROTOCOL>/packages/<PACKAGE_NAME>/upstreaming?api-version=6.1-preview.1"
    • Organization-scoped feed:

      $url = "<ORGANIZATION_NAME>/_apis/packaging/feeds/<FEED_NAME>/<PROTOCOL>/packages/<PACKAGE_NAME>/upstreaming?api-version=6.1-preview.1"

Run the following command to retrieve the upstream behavior state of your package. $url and $headers are the same variables we used in the previous section.

Invoke-RestMethod -Uri $url -Headers $headers