Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server | Azure DevOps Server 2022
If a personal access token (PAT) is compromised, act swiftly. Administrators can revoke a user's PAT to safeguard the organization. Disabling a user's account also revokes their PAT.
Tip
To create or revoke your own PAT, go to your Personal access token page.
Important
Consider using the more secure Microsoft Entra tokens over higher-risk personal access tokens. For more information, see Reduce PAT usage. Review the authentication guidance to choose the right authentication mechanism for your needs.
Why revoke user PATs?
Revoking user PATs is essential for the following reasons:
- Compromised token - Prevent unauthorized access if a token is compromised.
- User leaves the organization - Ensure former employees no longer have access.
- Permission changes - Invalidate tokens that reflect old permissions.
- Security breach - Mitigate unauthorized access during a breach.
- Regular security practices - Regularly revoke and reissue tokens as part of a security policy.
Tip
You can use AI to help with this task later in this article, or see Enable AI assistance with Azure DevOps MCP Server to get started.
Prerequisites
| Category | Requirements |
|---|---|
| Permissions | Member of the Project Collection Administrators group. Organization owners are automatically members of this group. |
Revoke PATs
- To revoke OAuth authorizations, including PATs, for your organization's users, see Token revocations - Revoke authorizations.
- To automate calling the REST API, use this PowerShell script, which passes a list of user principal names (UPNs). If you don't know the UPN of the user who created the PAT, use this script with a specified date range.
Note
When you use a date range, any JSON web tokens (JWTs) are also revoked. Any tooling that relies on these tokens doesn't work until refreshed with new tokens.
- After you successfully revoke the affected PATs, inform your users. They can recreate their tokens as necessary.
There might be a delay of up to one hour before the PAT becomes inactive. This latency period persists until the disable or delete operation is fully processed in Microsoft Entra ID.
FedAuth token expiration
A FedAuth token gets issued when you sign in. It's valid for a seven-day sliding window. The expiry automatically extends another seven days whenever you refresh it within the sliding window. If users access the service regularly, only an initial sign-in is needed. After a period of inactivity extending seven days, the token becomes invalid and the user must sign in again.
PAT expiration
Users can choose an expiry date for their PAT, not to exceed one year. Use shorter time periods and generate new PATs upon expiry. Users receive a notification email one week before the token expires. Users can generate a new token, extend the expiry of the existing token, or change the scope of the existing token if needed.
Auditing logs
If your organization is connected to Microsoft Entra ID, you have access to audit logs that track various events, including permissions changes, deleted resources, and log access. These audit logs are valuable for checking revocations or investigating any activity. For more information, see Access, export, and filter audit logs.
Frequently asked questions (FAQs)
Q: What happens to a PAT if a user leaves my company?
A: After a user is removed from Microsoft Entra ID, the PATs and FedAuth tokens invalidate within an hour, since the refresh token is valid only for one hour.
Q: Should I revoke JSON web tokens (JWTs)?
A: If you have JWTs that you believe should be revoked, revoke them promptly. Revoke JWTs issued as part of the OAuth flow using the PowerShell script. Be sure to use the date range option in the script.
Use AI to manage personal access tokens
If you have the Azure DevOps MCP Server configured, you can use AI assistants to review and manage personal access tokens for your organization's users using natural language prompts. The MCP Server provides your AI assistant with secure access to your Azure DevOps data, allowing you to audit tokens, check user access, and review security settings without navigating through the web interface.
Example prompts for PAT management
| Task | Example prompt |
|---|---|
| Respond to a security incident | Immediately list all active PATs for <user-email> in <organization-name> and show their scopes and last used dates |
| Clean up after employee departure | Find all PATs and active sessions for <user-email> in <organization-name> that should be revoked |
| Find overly broad tokens | List all full-scoped PATs in <organization-name> that have been active in the last 90 days and who owns them |
| Audit tokens about to expire | Show PATs expiring within the next 7 days in <organization-name> and notify me which ones have Code Write or Build Execute scopes |
| Check for stale tokens | Find PATs in <organization-name> that were created more than a year ago and haven't been used in the last 60 days |
| Review admin-scoped tokens | List all PATs in <organization-name> that have Full access or manage scopes, grouped by user |
Tip
If you're using Visual Studio Code, agent mode is especially helpful for auditing PAT usage and reviewing security policies across your organization.
- To avoid using stale or cached data from previous queries, add to your prompt,
Do not use previously fetched data.