How about restricting Access by IP range?
- Go to organization settings → security → IP restrictions
- Add allowed corporate IP addresses
- Block all other external IP addresses
... or use restricted git authentication via PAT policies:
- Go to organization settings → security -> policies
- Under "Personal Access Tokens", disable PAT usage
- Under git Credential manager", require azure AD authentication
Problem is that PATs are easy to misuse, and I see PATs getting misused a LOT of times.