articleschannelstagsspacestoolkit
Microsoft Dev Blogs

Restricting PAT Creation in Azure DevOps Is Now in Preview

View Original
thumbnail

Table of Contents

  1. What's New
  2. Managing Exceptions
  3. Supporting Packaging Scenarios
  4. Final Thoughts

What's New

  • The Restrict personal access token creation policy in Azure DevOps is now in preview.
  • Default behavior: Enabled for new organizations, off for existing ones until manually enabled.
  • Existing PATs will continue to function until they expire.
  • Combine with "Set maximum lifespan for new PATs" setting for additional control.
  • Manage the policy and sub-policies in Organization settings.

Managing Exceptions

  • Exceptions can be made by adding specific Microsoft Entra users or groups to an allowlist.
  • Use IAM platforms like Microsoft Entra ID Identity Governance to manage access requests and reviews.

Supporting Packaging Scenarios

  • Limit token creation to packaging scopes for users not on the allowlist.

Final Thoughts

  • The policy is a significant step in reducing PAT usage and enhancing security practices.
  • Feedback on how this policy has impacted PAT usage is welcome.