Manage personal access tokens using policies - Azure DevOps (2024)

Table of Contents
In this article Prerequisites Restrict creation of global PATs Restrict creation of full-scoped PATs Set maximum lifespan for new PATs Add Microsoft Entra users or groups to the allowlist Revoke leaked PATs automatically Turn off automatic revocation of leaked PATs Next steps Related articles
  • Article

Azure DevOps Services

This article explains how to limit the creation, scope, and lifespan of new or renewed personal access tokens (PATs) for users in Azure DevOps using Microsoft Entra policies. It also covers managing the automatic revocation of leaked PATs. Each policy's default behavior is detailed in its respective section.

Important

Existing PATs, created through both the UI and APIs, remain valid for the rest of their lifespan. Update your existing PATs to comply with the new restrictions to ensure successful renewal.

Prerequisites

Restrict creation of global PATs

The Azure DevOps Administrator in Microsoft Entra can restrict users from creating global PATs, which apply to all accessible organizations rather than a single organization. Enabling this policy requires new PATs to be associated with specific Azure DevOps organizations. By default, this policy is set to off.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

    See Also
    Keeping access tokens fresh and validRestricting service account usage  |  Resource Manager Documentation  |  Google CloudConfiguring Email Templates for Access Token ExpirationTokens | Vault | HashiCorp Developer

  2. Select Manage personal access tokens using policies - Azure DevOps (1) Organization settings.

    Manage personal access tokens using policies - Azure DevOps (2)

  3. Select Microsoft Entra, find the Restrict global personal access token creation policy and move the toggle to on.

    Manage personal access tokens using policies - Azure DevOps (3)

Restrict creation of full-scoped PATs

The Azure DevOps Administrator in Microsoft Entra can restrict users from creating full-scoped PATs. Enabling this policy requires new PATs to be limited to a specific, custom-defined set of scopes. By default, this policy is set to off.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select Manage personal access tokens using policies - Azure DevOps (4) Organization settings.

  3. Select Microsoft Entra, find the Restrict full-scoped personal access token creation policy and move the toggle to on.

    Manage personal access tokens using policies - Azure DevOps (5)

    See Also
    Access Tokens | OCLC Developer Network

Set maximum lifespan for new PATs

The Azure DevOps Administrator in Microsoft Entra ID can define the maximum lifespan of a PAT, specifying it in days. By default, this policy is set to off.

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select Manage personal access tokens using policies - Azure DevOps (6) Organization settings.

  3. Select Microsoft Entra, find the Enforce maximum personal access token lifespan policy and move the toggle to on.

    Manage personal access tokens using policies - Azure DevOps (7)

  4. Enter the number of maximum days, and then select Save.

Add Microsoft Entra users or groups to the allowlist

Warning

We recommend using groups for your tenant policy allow lists. If you use a named user, note that a reference to their identity will reside in the United States, Europe (EU), and Southeast Asia (Singapore).

Users or groups on the allowlist are exempt from the restrictions and enforcements of these policies when enabled. To add a user or group, select Add Microsoft Entra user or group, then select Add. Each policy has its own allowlist. If a user is on the allowlist for one policy, other activated policies still apply. Therefore, to exempt a user from all policies, add them to each allowlist.

Revoke leaked PATs automatically

The Azure DevOps Administrator in Microsoft Entra ID can manage the policy that automatically revokes leaked PATs. This policy applies to all PATs within organizations linked to your Microsoft Entra tenant. By default, this policy is set to on. If Azure DevOps PATs are checked into public GitHub repositories, they're automatically revoked.

Warning

Disabling this policy means any PATs checked into public GitHub repositories will remain active, potentially compromising your Azure DevOps organization and data, and putting your applications and services at significant risk. Even with the policy disabled, you will still receive an email notification if a PAT is leaked, but it will not be revoked automatically.

Turn off automatic revocation of leaked PATs

  1. Sign in to your organization (https://dev.azure.com/{yourorganization}).

  2. Select Manage personal access tokens using policies - Azure DevOps (8) Organization settings.

  3. Select Microsoft Entra, find the Automatically revoke leaked personal access tokens policy and move the toggle to off.

The policy is disabled and any PATs checked into public GitHub repositories remain active.

Next steps

Related articles

Manage personal access tokens using policies - Azure DevOps (2024)
Top Articles
The difference between French Macarons and Italian Macarons
How to quickly delete your Microsoft account, but without losing any data
Katie Pavlich Bikini Photos
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
Things To Do In Atlanta Tomorrow Night
Non Sequitur
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Pixel Combat Unblocked
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Weekly Math Review Q4 3
Facebook Marketplace Marrero La
Nobodyhome.tv Reddit
Topos De Bolos Engraçados
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Selly Medaline
Latest Posts
Euro to Dollar (EUR/USD) Forecast & Price Predictions 2024, 2025-2030
EUR/USD Price Forecast 2024: Will We See Parity? By Investing.com
Article information

Author: Nathanial Hackett

Last Updated:

Views: 6085

Rating: 4.1 / 5 (52 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.