November 9th, 2021

Known issue with publishing extensions: “Your ability to create global personal access tokens (PATs) is restricted by your organization.”

pazand
Product Manager

If you’ve run into trouble while trying to publish an Azure DevOps or Visual Studio extension to the Visual Studio Marketplace, please ask your administrator if they have enabled the new policy to restrict the creation of global personal access tokens (PATs).

Symptom

Image PAT Creation Symptom Screenshot

Today, in order to publish an extension to the Visual Studio Marketplace using the Cross-platform CLI for Azure DevOps (tfx-cli), you must create a personal access token that applies to all accessible organizations (a “global PAT”). Note that you only need a personal access token if you are publishing via the CLI; you do not need a PAT to publish via the Visual Studio Marketplace Web Portal.

If you are unable to create a personal access token for all accessible organizations with the desired marketplace scopes, you will not be able to publish extensions to Visual Studio marketplace from your organization via the CLI.

Cause

Azure DevOps released several new security features which allow company administrators to restrict the creation of personal access tokens. One such feature prevents the creation of personal access tokens that apply to all accessible organizations (“global PATs”). By default, the policy is disabled and users are free to create global personal access tokens (PATs). However, once enabled, the policy prevents the creation of global PATs and in turn, prevents users from publishing to the marketplace with the CLI.

Workarounds

If you need to publish an extension through CLI and have been blocked by the new policy, the primary workaround is to ask your administrator to add your user account to the allowlist for the policy. Azure AD users and groups added to the allowlist will be exempt from the restriction and will be able to create PATs appropriate for publishing to the marketplace.

Additionally, the policy can be turned on or off altogether. By default, it is set to off.

Other Issues?

If neither of the workarounds work for you, or if you’re having other issues, please let us know by commenting below. We apologize for the inconvenience as we work towards a long-term solution.

Author

pazand
Product Manager

Parsa is a Product Manager on the Azure DevOps team.

2 comments

Discussion is closed. Login to edit/delete existing comments.

  • Altaf Hussain · Edited

    Thanks for sharing this valuable information.

  • Mohammad Ashfak

    This is the 4th article I read about Azure DevOps