How to determine if an Azure DevOps self-hosted agent is registered using a PAT or Service Principal?

Question

How to determine if an Azure DevOps self-hosted agent is registered using a PAT or Service Principal?

Waniya Mustafa 20

We’re trying to audit our Azure DevOps setup and determine whether our self-hosted agents (in a particular agent pool) are registered using a Personal Access Token (PAT) or a Service Principal (SPN).

From what I’ve researched, the agent pool UI doesn’t reveal this, and I haven’t found a CLI/API way to directly inspect the authentication method used during registration.

Is there a straightforward way to determine how a self-hosted agent was authenticated (PAT vs SPN)? Or is checking the machine-level configuration (e.g., environment variables or setup logs) the only way?

Any help or insights would be appreciated!

Durga Reshma Malthi 4,165 Reputation points Microsoft External Staff Moderator

2025-06-24T08:13:29.5633333+00:00

Hi Waniya Mustafa

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Durga Reshma Malthi 4,165 Reputation points Microsoft External Staff Moderator

2025-06-25T06:46:43.2033333+00:00

Hi Waniya Mustafa

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Accepted answer

0 additional answers

Your answer

Durga Reshma Malthi 4,165 Reputation points Microsoft External Staff Moderator

2025-06-24T08:13:29.5633333+00:00

Hi Waniya Mustafa

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Durga Reshma Malthi 4,165 Reputation points Microsoft External Staff Moderator

2025-06-25T06:46:43.2033333+00:00

Hi Waniya Mustafa

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.

Answer 1

Hi Waniya Mustafa

Azure DevOps doesn’t currently expose the authentication method (PAT vs SPN) used during agent registration via the UI, REST API, or CLI.

If you wanted to check then:

Navigate to the directory where the agent is installed. This is typically something like C:\agent on Windows or /home/youruser/agent on Linux.
Look for a file named .env or env in the agent directory. This file may contain environment variables that indicate whether a PAT or SPN is being used.
Open the .agent file (JSON format). It contains metadata like the agent's name, pool, and URL—but not the auth method directly. However, if the agent was registered using a Service Principal, you’ll often find environment variables or scripts.
Check the config.log file in the agent directory. It may include like:
- Using authentication type: PAT
- Using authentication type: SPN
Run config.cmd (Windows) or ./config.sh (Linux/macOS) again. It will prompt for the authentication method. You can cancel after reviewing the current setup.

Hope this helps!

Please Let me know if you have any queries.

Share via

How to determine if an Azure DevOps self-hosted agent is registered using a PAT or Service Principal?

0 additional answers

Your answer