Edit

Share via

Revoke personal access tokens for organization users

  • Article

Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019

In the event of a Personal Access Token (PAT) being compromised, it is crucial to act swiftly. Administrators have the capability to revoke a user's PAT as a security measure to safeguard the organization. Additionally, disabling a user's account will also revoke their PAT. There's a delay,up to one hour, before the PAT becomes inactive. This latency period persists until the disable or delete operation is fully processed in Microsoft Entra ID.

Prerequisites

Access level: Organization owner or member of the Project Collection Administrators group

For users, if you want to create or revoke your own PATs, see Create or revoke personal access tokens.

Revoke PATs

  1. To revoke the OAuth authorizations, including PATs, for your organization's users, see Token revocations - Revoke authorizations.
  2. Use this PowerShell script to automate calling the new REST API by passing a list of user principal names (UPNs). If you don't know the UPN of the user who created the PAT, use this script, however it must be based on a date range.

Note

When you use a date range any JSON web tokens (JWTs) are also revoked. Any tooling that relies on these tokens won't work until refreshed with new tokens.

  1. After you successfully revoke the affected PATs, inform your users. They can recreate their tokens as necessary.

FedAuth token expiration

A FedAuth token gets issued when you sign in. It's valid for a seven-day sliding window. The expiry automatically extends another seven days whenever you refresh it within the sliding window. If users access the service regularly, only an initial sign-in is needed. After a period of inactivity extending seven days, the token becomes invalid and the user must sign in again.

Personal access token expiration

Users can choose an expiry date for their personal access token, not to exceed one year. We recommend you use shorter time periods, generating new PATs upon expiry. Users receive a notification email one week before token expiry. Users can generate a new token, extend expiry of the existing token, or change the scope of the existing token, if needed.

Frequently asked questions (FAQs)

Q: What if a user leaves my company?

A: Once a user's removed from Microsoft Entra ID, the PATs and FedAuth tokens invalidate within an hour, since the refresh token is valid only for one hour.

Q: Should I revoke JSON web tokens (JWTs)?

A: If you have JWTs that you believe should be revoked, we suggest you do so. Revoke JWTs, issued as part of the OAuth flow, via the PowerShell script. However, you must use the date range option in the script.