In the new year, we’ll be retiring the Global Personal Access Token (PAT) type in Azure DevOps.
Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach creates a concentrated security risk — especially as a user’s access footprint grows. This level of privilege becomes an attractive target for bad actors, making global tokens unsuitable for today’s security‑conscious environments.
Setting clear boundaries around high‑impact credentials is one of the most effective ways to prevent large‑scale breaches. As part of Microsoft’s broader security strategy, we are moving away from global, full‑scoped PATs and enforcing organizational‑level policies that limit token power. We strongly recommend transitioning to short‑lived, Microsoft Entra–backed authentication, which offers modern protections such as improved token governance, stronger identity controls, and reduced risk of credential exposure.
These changes reflect real‑world learnings that we have already applied to improve the security posture across Microsoft and many Azure DevOps customers.
Key Dates
-
March 15, 2026 – Creation of new global PATs and regeneration of existing global PATs will be blocked starting on this date. (It may take 1-2 weeks for this change to apply to your organization.)(Update 03/05: We will no longer be proceeding with blocking global PAT creation on March 15. You may continue creating global PATs until December 1.) -
December 1, 2026 – All existing global PATs will be fully decommissioned. Tokens will stop working after this date.
Review your global PATs
To determine if you have any global PATs:
- Sign in to your organization (
https://dev.azure.com/{Your_Organization}). - From your home page, find the user settings icon
in the top right header and select Personal access tokens from the dropdown. - Find the Access scope dropdown and select All accessible organizations with Status set to Active.
- Your active global PATs will be listed here.
in the top right header and select Personal access tokens from the dropdown. 
Recommended Actions
If any of your current workflows rely on global PATs, we encourage you to begin planning your transition now. Options include:
- Splitting authentication across individual Azure DevOps organizations, or
- Adopting Entra‑based, short‑lived authentication in place of PATs.
If you are actively using a global PAT, you will receive ongoing email updates throughout the deprecation process.
To publish an extension using the task – task: QueryAzureDevOpsExtensionVersion@4 we need a PAT which is accessable to all Org right , or else it wont work . How will this be handled in the future ?
Thank you. This update will be released on Azure DevOps Server too? And if so, when?