Introduction

A personal access token (PAT) is used as an alternative for password authentication to Azure DevOps. If you have been using Azure, this uses the same concept of Service principal in Azure. When you are working with a third party tool that doesn’t support AAD integration, you can use PATs to limit the risk.

PATs are easy to create and manage which is why we as the Administrators are always wary of creating PAT for ADO organization. Even though PAT allows us the granular scope with the help of custom defined access as per below screenshot, but it still doesn’t help us control the users accessing this, or streamline the PAT across our ADO organization using a policy.

Legacy way of using PATs

As mentioned earlier the only option of managing the PAT was to use custom defined access and make sure we assign required permissions to the PAT, but that meant lot of manual and repetitive task. For example if we had two different applications, we would have to make sure both the PATs are assigned required permissions and lifespan manually. If you notice ADO didn’t provide any option of managing this through policy.

What’s new in ADO

Now you can restrict creation of global PATs

Microsoft announced that it has now added an option to streamline this using different policies under Azure DevOps. In this guide, I list down all the pre-requisites and the steps to create these policies.

Prerequisites

  • To use this feature, your organization must be linked to Azure AD.
  • You must be an Azure DevOps Administrator in Azure AD. This will let you manage your organization policy. To check your role you can check this under “Azure Active Directory > Roles and Administrators”

How to create policy for restricting PAT creation

ADO administrators can now restrict users from creating global PATs unlike before. Since this is managed at AAD level, this global token applies to all the accessible organizations rather than the single organization you have chosen while creating this token. This also means that new PATs must be associated with specific ADO organizations.

1.) Sign into your organization (https://dev.azure.com/<your_organization&gt;)

2.) Choose “Organization settings”

3.) In the Azure Active Directory tab, click on Connect Directory option to connect ADO with the Azure Active Directory.

4.) Select the directory you would like to connect with your Azure DevOps organization.

5.) After connecting with the azure active directory organization it will prompt you to sign out. Please sign out and sing in again and navigate to Azure Active directory section. Scroll down and you will see below options :

  • Restrict global PAT token creation :
    • Using this option we can ensure only specific users or groups can create PAT.
  • Restrict full-scoped PAT creation :
    • This option restricts users from granting Full access to PAT (refer introduction section)
  • Enforce maximum PAT lifespan :
    • Using this option we can streamline the lifespan and ensure the organization doesn’t have an “Active Personal access token” beyond a specified duration.
  • Allow list under each policy :
    • Users or groups on the allow list are exempt from these restrictions. As you can see all the three policies have its own allow lists which helps you manage access at a policy level. If a user is in allow list of one policy, the restrictions imposed by other policy still applies to the user\group.