Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services
This article provides guidance on how to use our tenant and organization policies to manage personal access tokens (PATs) in Azure DevOps. It explains how to limit the creation, scope, and lifespan of new or renewed PATs, and how to handle the automatic revocation of leaked PATs.
Each section details the default behavior of the respective policies, helping administrators effectively control and secure PAT usage within their organization.
Important
We recommend the more secure Microsoft Entra tokens over higher-risk personal access tokens. Learn more about our efforts to reduce PAT usage. Review our authentication guidance to choose the right authentication mechanism for your needs.
Existing PATs, created through both the UI and APIs, remain valid for the rest of their lifespan. Update your existing PATs to comply with the new restrictions to ensure successful renewal.
Prerequisites
| Category | Requirements |
|---|---|
| Entra Tenant | Your organization is linked to a Microsoft Entra tenant. |
| Permissions |
|
Add Microsoft Entra users or groups to policy allowlists
Warning
We generally recommend using groups for your allowlists. If you list a named user, a reference to their identity resides in the United States, Europe (EU), and Southeast Asia (Singapore).
Users or groups on the allowlist for any of these policies are exempt from the restrictions and enforcements when policies are enabled.
Each policy has its own unique allowlist. To exempt a user from all policies, they must be added to each allowlist. For the tenant policies, select Add Microsoft Entra user or group, then select Add.
Restrict creation of global PATs (tenant policy)
Azure DevOps Administrators can restrict users from creating global PATs, which can be used in all accessible organizations rather than a single organization. When this policy is enabled, new PATs must be associated with specific Azure DevOps organizations. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.
Select Microsoft Entra, find the Restrict global personal access token creation policy and move the toggle on.
Restrict creation of full-scoped PATs (tenant policy)
Azure DevOps Administrators can restrict users from creating full-scoped PATs. Enabling this policy requires new PATs to be limited to a specific, custom-defined set of scopes. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Restrict full-scoped personal access token creation policy and move the toggle on.
Set maximum lifespan for new PATs (tenant policy)
Azure DevOps Administrators can define the maximum lifespan of a PAT, specifying it in days. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Enforce maximum personal access token lifespan policy and move the toggle on.
Enter the number of maximum days, and then select Save.
Restrict personal access token creation (organization policy)
Note
This policy is in public preview.
Project Collection Administrators are able to control who can create and regenerate PATs in the organizations they manage. For existing organizations, this policy is set to off. Once this policy is in public preview, by default, this policy is set to on. Existing PATs will continue working until the PAT's expiration date.
Tip
Combine this policy with a short duration set for the "Set maximum lifespan for new PATs" policy to drive down PAT usage in your organization.
The policy also blocks global PAT usage in the organization. Global PAT users must be added to the allowlist to continue to use their global PAT in the organization.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Policies, find the Restrict personal access token (PAT) creation policy.
If your organization members regularly make use of packaging PATs, select the Allow creation of PAT with packaging scope only checkbox. Common packaging scenarios have not fully moved to Entra-based authentication, and may still rely on PATs. If this policy is enabled, users not on the allowlist will see only packaging scopes available to them on their "Personal access tokens" page.
If any Microsoft Entra users or groups require continued access to PATs, add them to the allowlist by selecting Manage and searching for the user or group in the dropdown. Once allowlist updates are complete, select the checkbox next to Allow creation of PAT of any scope for selected Microsoft Entra users and groups.
Move the toggle to on in order for the restriction policy to apply. Selected subpolicies won't apply until the toggle is on.
Revoke leaked PATs automatically (tenant policy)
Azure DevOps Administrators can manage the policy that automatically revokes leaked PATs. This policy applies to all PATs within organizations linked to your Microsoft Entra tenant. By default, this policy is set to on. If Azure DevOps PATs are checked into public GitHub repositories, they're automatically revoked.
Warning
Disabling this policy means any PATs checked into public GitHub repositories remain active, potentially compromising your Azure DevOps organization and data, and putting your applications and services at significant risk. Even with the policy disabled, you still receive an email notification if a PAT is leaked, but it isn't revoked automatically.
Turn off automatic revocation of leaked PATs
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Automatically revoke leaked personal access tokens policy and move the toggle to off.
The policy is disabled and any PATs checked into public GitHub repositories remain active.