Use policies to manage personal access tokens for users
Azure DevOps Services
This article explains how to limit the creation, scope, and lifespan of new or renewed personal access tokens (PATs) for users in Azure DevOps using Microsoft Entra policies. It also covers managing the automatic revocation of leaked PATs. Each policy's default behavior is detailed in its respective section.
Important
Existing PATs, created through both the UI and APIs, remain valid for the rest of their lifespan. Update your existing PATs to comply with the new restrictions to ensure successful renewal.
Prerequisites
- Organization requirements: Your organization must be linked to Microsoft Entra ID.
- Roles: You must be an Azure DevOps Administrator in Microsoft Entra ID to manage your organization policies. To check your role, sign in to the Azure portal, and then choose Microsoft Entra ID > Roles and administrators. If you're not an Azure DevOps administrator, contact your administrator. If you're not an admin, you can't see the policies.
Restrict creation of global PATs
The Azure DevOps Administrator in Microsoft Entra can restrict users from creating global PATs, which apply to all accessible organizations rather than a single organization. Enabling this policy requires new PATs to be associated with specific Azure DevOps organizations. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Microsoft Entra, find the Restrict global personal access token creation policy and move the toggle to on.
Restrict creation of full-scoped PATs
The Azure DevOps Administrator in Microsoft Entra can restrict users from creating full-scoped PATs. Enabling this policy requires new PATs to be limited to a specific, custom-defined set of scopes. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Microsoft Entra, find the Restrict full-scoped personal access token creation policy and move the toggle to on.
Set maximum lifespan for new PATs
The Azure DevOps Administrator in Microsoft Entra ID can define the maximum lifespan of a PAT, specifying it in days. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Microsoft Entra, find the Enforce maximum personal access token lifespan policy and move the toggle to on.
Enter the number of maximum days, and then select Save.
Add Microsoft Entra users or groups to the allowlist
Warning
We recommend using groups for your tenant policy allow lists. If you use a named user, note that a reference to their identity will reside in the United States, Europe (EU), and Southeast Asia (Singapore).
Users or groups on the allowlist are exempt from the restrictions and enforcements of these policies when enabled. To add a user or group, select Add Microsoft Entra user or group, then select Add. Each policy has its own allowlist. If a user is on the allowlist for one policy, other activated policies still apply. Therefore, to exempt a user from all policies, add them to each allowlist.
Revoke leaked PATs automatically
The Azure DevOps Administrator in Microsoft Entra ID can manage the policy that automatically revokes leaked PATs. This policy applies to all PATs within organizations linked to your Microsoft Entra tenant. By default, this policy is set to on. If Azure DevOps PATs are checked into public GitHub repositories, they're automatically revoked.
Warning
Disabling this policy means any PATs checked into public GitHub repositories will remain active, potentially compromising your Azure DevOps organization and data, and putting your applications and services at significant risk. Even with the policy disabled, you will still receive an email notification if a PAT is leaked, but it will not be revoked automatically.
Turn off automatic revocation of leaked PATs
Sign in to your organization (
https://dev.azure.com/{yourorganization}
).Select Organization settings.
Select Microsoft Entra, find the Automatically revoke leaked personal access tokens policy and move the toggle to off.
The policy is disabled and any PATs checked into public GitHub repositories remain active.