Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services
This article provides guidance on how to use tenant and organization policies to manage personal access tokens (PATs) in Azure DevOps. It explains how to limit the creation, scope, and lifespan of new or renewed PATs, and how to handle the automatic revocation of leaked PATs.
Each section details the default behavior of the respective policies to help administrators effectively control and secure PAT usage within their organization.
Important
Consider using the more secure Microsoft Entra tokens over higher-risk personal access tokens. For more information, see Reduce PAT usage. Review the authentication guidance to choose the right authentication mechanism for your needs.
Existing PATs, created through both the UI and APIs, remain valid for the rest of their lifespan. Update your existing PATs to comply with the new restrictions to ensure successful renewal.
Tip
You can use AI to help with this task later in this article, or see Enable AI assistance with Azure DevOps MCP Server to get started.
Prerequisites
| Category | Requirements |
|---|---|
| Microsoft Entra tenant | Your organization is linked to a Microsoft Entra tenant. |
| Permissions |
|
Add Microsoft Entra users or groups to policy allowlists
Warning
Use groups for your allowlists. If you list a named user, a reference to their identity resides in the United States, Europe (EU), and Southeast Asia (Singapore).
Users or groups on the allowlist for any of these policies are exempt from the restrictions and enforcements when policies are enabled.
Each policy has its own unique allowlist. To exempt a user from all policies, add them to each allowlist. For the tenant policies, select Add Microsoft Entra user or group, then select Add.
Restrict creation of global PATs (tenant policy)
Azure DevOps Administrators can restrict users from creating global PATs, which can be used in all accessible organizations rather than a single organization. When this policy is enabled, new PATs must be associated with specific Azure DevOps organizations. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{Your_Organization}).Select
Organization settings.
Select Microsoft Entra, find the Restrict global personal access token creation policy and move the toggle on.
Restrict creation of full-scoped PATs (tenant policy)
Azure DevOps Administrators can restrict users from creating full-scoped PATs. Enabling this policy requires new PATs to be limited to a specific, custom-defined set of scopes. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Restrict full-scoped personal access token creation policy and move the toggle on.
Set maximum lifespan for new PATs (tenant policy)
Azure DevOps Administrators can define the maximum lifespan of a PAT, specifying it in days. By default, this policy is set to off.
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Enforce maximum personal access token lifespan policy and move the toggle on.
Enter the number of maximum days, and then select Save.
Restrict personal access token creation (organization policy)
Note
This policy is only available for Microsoft Entra-backed organizations.
Project Collection Administrators can control who creates and regenerates PATs in the organizations they manage. By default, this policy is set to off. Existing PATs continue working until the PAT's expiration date.
Tip
Combine this policy with a short duration set for the "Set maximum lifespan for new PATs" policy to drive down PAT usage in your organization.
The policy also blocks global PAT usage in the organization. Global PAT users must be added to the allowlist to continue to use their global PAT in the organization.
Sign in to your organization (
https://dev.azure.com/{Your_Organization}).Select
Organization settings.Select Policies, find the Restrict personal access token (PAT) creation policy.
If your organization members regularly use packaging PATs, select the Allow creation of PAT with packaging scope only checkbox. Many packaging scenarios still rely on PATs and haven't fully transitioned to Microsoft Entra-based authentication. When this policy is enabled, users who aren't on the allowlist have access only to packaging scopes on their "Personal access tokens" page.
If any Microsoft Entra users or groups require continued access to PATs, add them to the allowlist by selecting Manage and searching for the user or group in the dropdown. After allowlist updates are complete, select the checkbox next to Allow creation of PAT of any scope for selected Microsoft Entra users and groups.
Move the toggle to on for the restriction policy to apply. Selected subpolicies don't apply until the toggle is on.
Revoke leaked PATs automatically (tenant policy)
Azure DevOps Administrators can manage the policy that automatically revokes leaked PATs. This policy applies to all PATs within organizations linked to your Microsoft Entra tenant. By default, this policy is set to on. If Azure DevOps PATs are checked into public GitHub repositories, they're automatically revoked.
Warning
Disabling this policy means any PATs checked into public GitHub repositories remain active, potentially compromising your Azure DevOps organization and data, and putting your applications and services at significant risk. Even with the policy disabled, you still receive an email notification if a PAT is leaked, but it isn't revoked automatically.
Turn off automatic revocation of leaked PATs
Sign in to your organization (
https://dev.azure.com/{yourorganization}).Select
Organization settings.Select Microsoft Entra, find the Automatically revoke leaked personal access tokens policy and move the toggle to off.
The policy is disabled and any PATs checked into public GitHub repositories remain active.
Use AI to manage PAT policies
If you have the Azure DevOps MCP Server configured, you can use AI assistants to manage and audit personal access token policies using natural language prompts. The MCP Server provides your AI assistant with secure access to your Azure DevOps data, allowing you to check policy settings, list tokens, and review PAT activity without navigating through the web interface.
Example prompts for managing PAT policies
| Task | Example prompt |
|---|---|
| Enforce least-privilege token policy | Restrict full-scoped PATs in <organization-name> and set the maximum lifetime to 90 days for all new tokens |
| Generate a token compliance report | Show all PATs in <organization-name> that exceed the 90-day lifetime policy or have full access scope, grouped by user |
| Prepare for Managed Identity migration | List all PATs in <organization-name> used for automated pipelines and suggest which ones could be replaced with managed identity or service principal authentication |
| Set up allowlisted PATs | Configure the PAT policy for <organization-name> to allow only tokens with Code Read, Work Items Read, and Build Execute scopes |
| Monitor policy violations | Show me the audit log entries for PAT creation events in <organization-name> over the last 30 days that violated any active policy |
| Review token usage patterns | For each user in <organization-name>, show the count of active PATs, their broadest scope, and when each was last used |
Tip
If you're using Visual Studio Code, agent mode is especially helpful for auditing PAT usage and identifying tokens that need rotation or revocation.
- To avoid using stale or cached data from previous queries, add to your prompt,
Do not use previously fetched data.