{"id":61796,"date":"2021-06-03T09:46:59","date_gmt":"2021-06-03T17:46:59","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=61796"},"modified":"2021-12-22T07:49:16","modified_gmt":"2021-12-22T15:49:16","slug":"new-policies-to-restrict-personal-access-token-scope-and-lifespan","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/new-policies-to-restrict-personal-access-token-scope-and-lifespan\/","title":{"rendered":"New policies to restrict personal access token scope and lifespan"},"content":{"rendered":"

Personal access tokens (PATs)<\/a> make it easy to authenticate against Azure Devops<\/a> to integrate with your tools and services. However, leaked tokens<\/a> could compromise your Azure DevOps account and data, putting your applications and services at significant risk.<\/p>\n

Customers have told us that their administrators don\u2019t have the necessary controls to limit the threat surface area posed by leaked PATs.<\/p>\n

To protect our customers, we’ve added a new set of policies which can be used to restrict the scope and lifespan of your company’s Azure DevOps personal access tokens (PATs)! Here\u2019s how they work:<\/p>\n

Users assigned to the Azure DevOps Administrator role in Azure Active Directory<\/a> can navigate to the \u201cAzure Active Directory\u201d tab in the organization settings of any Azure DevOps organization linked to their Azure AD.<\/p>\n

\"Image<\/a><\/p>\n

There, administrators can<\/p>\n

    \n
  1. restrict the creation of global personal access tokens (tokens that work for all Azure DevOps organizations accessible by the user)<\/li>\n
  2. restrict the creation of full-scoped personal access tokens <\/li>\n
  3. define a maximum lifespan for new personal access tokens<\/li>\n<\/ol>\n

    These policies will apply to all new PATs created by users for Azure DevOps organizations linked to the Azure AD tenant. Each of the policies has an allowlist for users and groups who should be exempt from the policy, but shouldn\u2019t be allowed to manage policy configuration.<\/p>\n

    These policies only apply to new PATs, and will not affect existing PATs that have already been created and are in use. After the policies have been enabled however, any existing, now non-compliant PATs must be updated to be within the restrictions before they can be renewed.<\/p>\n

    Please comment below with any questions, comments or issues you may have. We take your input seriously and read every bit of feedback. We\u2019re very excited for you all to try this out and let us know what you think!<\/p>\n","protected":false},"excerpt":{"rendered":"

    Azure DevOps Administrators can now define a maximum lifespan for personal access tokens (PATs) and restrict the creation of global and full-scoped personal access tokens (PATs). These policies will affect all users and Azure DevOps organizations linked to the Azure AD tenant. <\/p>\n","protected":false},"author":51297,"featured_media":61797,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[228,251],"tags":[],"class_list":["post-61796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-admin-licensing","category-security"],"acf":[],"blog_post_summary":"

    Azure DevOps Administrators can now define a maximum lifespan for personal access tokens (PATs) and restrict the creation of global and full-scoped personal access tokens (PATs). These policies will affect all users and Azure DevOps organizations linked to the Azure AD tenant. <\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/61796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/51297"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=61796"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/61796\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/61797"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=61796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=61796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=61796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}