Azure DevOps will no longer support Alternate Credentials authentication
We, the Azure DevOps team, work hard to ensure that your code is protected while enabling you to have friction free access. Until now, we’ve offered customers the ability to use Alternate Credentials in situations where they are connecting to Azure DevOps using legacy tools. While using Alternate Credentials was an easy way to set up authentication access to Azure DevOps, it is also less secure than other alternatives such as personal access tokens (PATs). As such, we believe the use of Alternate Credentials authentication represents a security risk to our customers because they never expire and can’t be scoped to limit access to the Azure DevOps data.
Security Changes
Azure DevOps will stop supporting Alternate Credentials authentication beginning March 2, 2020. The deprecation process will start by disabling and hiding this feature for organizations that are not using Alternate Credentials beginning December 9, 2019. Then starting March 2, 2020 we will gradually turn off this feature for the rest of the organizations, which means that individuals using Alternate Credentials have until then to transition to a more secure authentication method to avoid this breaking change impacting their DevOps workflows.
Will this impact you?
For each organization you belong to, in order to check if you have Alternate Credentials configured, go to the Azure DevOps portal. In the top right corner, open the User Settings menu 
, then click on the Alternate Credentials menu item.
If you have Alternate Credentials configured in Azure DevOps, you will see it listed. In this case, you should move to another form of authentication by March 2, 2020. We recommend PATs.
- If you are using Alternate Credentials with Git (this is the most common usage scenario), then follow these instructions to set up Git with PATs.
- The recommendation for Linux is to use SSH keys.
- If you are not using Alt Creds with Git and you are not using Linux, please follow these instructions for switching to PATs.
- If you need to refresh tokens programmatically, you can use OAuth.
If you see ‘Secondary Inactive’ or a message stating that Alternate Credentials were disabled for your organization, it means you don’t have Alternate Credentials set in Azure DevOps. There is no action item for you.
Deprecation Timeline
- Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don’t have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
- In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
- March 2, 2020 – Start gradually disabling Alternate Credentials for all Azure DevOps organizations.
Contact Us
If you have any questions, please open a developer community item with the tag [AltCreds] in the title. For faster service, please search for [AltCreds] in the developer community forum first, as your question might already be answered. You can reach out to us on Twitter at @AzureDevOps too.
FAQ
Q: As a user, what happens when Azure DevOps disables Alternate Credentials?
A: The tools that you use to connect to Azure DevOps using Alternate Credentials will stop working.
Q: As a user, how do I know in what scenario I am using Alternate Credentials in a specific organization?
A: We will email you the user agent (if we have it) and the identity that is using it, starting mid-December 2019.
Q: As a user, should I delete my Alternate Credentials for a specific organization?
A: You are not required to, but this is a way to test if anything is broken if you remove them. You can re-enable your Alternate Credentials after completing the test. Save the username and password somewhere before deleting it, just in case.
Q: As an administrator, how do I know if there are active users of Alternate Credentials in my organization?
A: We will email you this information, along with the user agents (if we have this information) and the identities that are using Alternate Credentials, starting mid-December 2019.
Q: As an administrator, should I turn off the alternate Credentials policy?
A: If you want to get this change faster, you can turn the policy off. Turning the policy off is reversible until December 8, 2019. After that, you won’t be able to turn the policy on from the portal. You would need to contact us to do that. (contact info above).
Q: Will this change apply to Azure DevOps Server?
A: No, because we already do not support Alternate Credentials in Azure DevOps Server.
Light
Dark
33 comments
Can someone suggest how I automate azure work item resolution without using my own PAT in absence of alternate creds?
You can create a service account, log-in with that and generate a PAT for the service account. Have you tried that?
My organization is using git on Linux and are using personal access tokens to access an ADO https server. We have a question about how to interpret the advice in this article. It states in one place that use of PATs is recommended. But then in another place it says SSH is recommended for Linux. What exactly is your advice? For use on Linux, should our first choice be PATs, or SSH?
Sorry about the confusion in our docs. Our recommendation is to use PATs even on Linux.