{"id":71215,"date":"2025-06-05T09:08:48","date_gmt":"2025-06-05T17:08:48","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=71215"},"modified":"2025-06-27T07:53:55","modified_gmt":"2025-06-27T15:53:55","slug":"restricting-pat-creation-in-azure-devops-is-now-in-preview","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/restricting-pat-creation-in-azure-devops-is-now-in-preview\/","title":{"rendered":"Restricting PAT Creation in Azure DevOps Is Now in Preview"},"content":{"rendered":"<p>As organizations continue to strengthen their security posture, restricting usage of <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/organizations\/accounts\/use-personal-access-tokens-to-authenticate\" target=\"_blank\">personal access tokens (PATs)<\/a> has become a critical area of focus. With the latest public preview of the <strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-personal-access-token-creation-organization-policy\" target=\"_blank\">Restrict personal access token creation policy<\/a><\/strong> in Azure DevOps, Project Collection Administrators (PCAs) now have another powerful tool to <a href=\"https:\/\/devblogs.microsoft.com\/devops\/reducing-pat-usage-across-azure-devops\/\" target=\"_blank\">reduce unnecessary PAT usage<\/a> and enforce tighter controls across their organizations.<\/p>\n<blockquote>\n<p>\ud83d\udde3\ufe0f This has been one of our most requested features &#8212; we&#8217;re excited to finally deliver it.<\/p>\n<\/blockquote>\n<h2>Why This Matters<\/h2>\n<p>PATs are a convenient way for users to authenticate with Azure DevOps, but they also pose a risk if not properly managed. Long-lived or overly permissive tokens can become a vector for unauthorized access. We have <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators\" target=\"_blank\">tenant-level policies<\/a> that help target these risk vectors by limiting full-scope and global PATs or reducing a PAT\u2019s maximum lifespan.<\/p>\n<p>This new organization-level policy mitigates that risk further by giving administrators the ability to <strong>control who can create or regenerate PATs<\/strong>.<\/p>\n<h2>What\u2019s New<\/h2>\n<p>Once enabled, the <strong>Restrict personal access token creation<\/strong> policy prevents users from creating or regenerating PATs unless they are explicitly allowed. Here\u2019s what you need to know:<\/p>\n<ul>\n<li><strong>Default Behavior<\/strong>: <del datetime=\"2025-06-27T15:51:19+00:00\">For new organizations, the policy is enabled by default.<\/del> (<strong>Update 06\/27<\/strong>: This requirement has been relaxed as part of public preview. We will revisit this potentially as part of General Availability (GA).) For existing organizations, it remains off until manually turned on. <\/li>\n<li><strong>Existing PATs<\/strong>: Tokens already in use will continue to function until they expire. <\/li>\n<li><strong>Global PAT Usage<\/strong>: Global PATs cannot be used in an organization unless the user is added to an allowlist. <\/li>\n<\/ul>\n<blockquote>\n<p>\ud83d\udca1 <strong>Tip<\/strong>: Combine this policy with the <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops#set-maximum-lifespan-for-new-pats-tenant-policy\" target=\"_blank\">\u201cSet maximum lifespan for new PATs\u201d setting<\/a> to further reduce token sprawl and enforce short-lived credentials.<\/p>\n<\/blockquote>\n<h2>How to Enable the Policy<\/h2>\n<ol>\n<li>\n<p>Sign in to your organization at https:\/\/dev.azure.com\/{yourorganization}.<\/p>\n<\/li>\n<li>\n<p>Navigate to Organization settings via the gear icon.<\/p>\n<\/li>\n<li>\n<p>Select Policies, then locate Restrict personal access token creation.<\/p>\n<\/li>\n<li>\n<p>Toggle the policy on and configure the sub-policies as needed.<\/p>\n<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-policy-1.png\"><img decoding=\"async\" width=\"638\" height=\"196\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-policy-1.png\" alt=\"New Restrict personal access token creation policy in Organization Settings\" class=\"alignnone wp-image-71217\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-policy-1.png 638w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-policy-1-300x92.png 300w\" sizes=\"(max-width: 638px) 100vw, 638px\" \/><\/a><\/p>\n<h3>Managing Exceptions<\/h3>\n<p>Need to make exceptions? You can add specific Microsoft Entra users or groups to an allowlist:<\/p>\n<ol>\n<li>\n<p>Click Manage next to \u201cAllow list\u201d under the \u201cAllow creation of PAT of any scope for selected users and groups\u201d subpolicy.<\/p>\n<\/li>\n<li>\n<p>Search for and select Microsoft Entra users or groups.<\/p>\n<\/li>\n<li>\n<p>Check the box for the subpolicy.<\/p>\n<\/li>\n<\/ol>\n<p>Once configured, these users will retain the ability to create PATs of any scope, even with the policy enabled.<\/p>\n<blockquote>\n<p>\ud83d\udca1 <strong>Tip<\/strong>: Use an Identity &amp; Access Management (IAM) platform like<a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/id-governance\/identity-governance-overview\" target=\"_blank\"> Microsoft Entra ID Identity Governance<\/a> to manage inbound access requests and send access reviews when an existing user\u2019s access to the allowlist is due to expire.<\/p>\n<\/blockquote>\n<h3>Supporting Packaging Scenarios<\/h3>\n<p>Some packaging workflows still rely on PATs. To support these cases without compromising broader security goals, you can enable the \u201c<em>Allow creation of PAT with packaging scope only<\/em>\u201d option. This limits token creation to packaging scopes for users not on the allowlist.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-packaging-only.png\"><img decoding=\"async\" width=\"636\" height=\"172\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-packaging-only.png\" alt=\"Packaging scopes available only if Allow creation of PAT with packagin scope only subpolicy enabled\" class=\"alignnone wp-image-71218\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-packaging-only.png 636w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/06\/disable-pat-packaging-only-300x81.png 300w\" sizes=\"(max-width: 636px) 100vw, 636px\" \/><\/a><\/p>\n<h2>Final Thoughts<\/h2>\n<p>This policy is a significant step forward in reducing PAT usage and aligning Azure DevOps with modern identity and access management practices. By enabling it, organizations can better protect their environments while still supporting essential workflows.<\/p>\n<p>\ud83d\udcac We\u2019d love to hear from you\u2014has this policy helped your team reduce PAT usage? Are there additional controls you\u2019d like to see? Let us know in the comments below!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As organizations continue to strengthen their security posture, restricting usage of personal access tokens (PATs) has become a critical area of focus. With the latest public preview of the Restrict personal access token creation policy in Azure DevOps, Project Collection Administrators (PCAs) now have another powerful tool to reduce unnecessary PAT usage and enforce tighter [&hellip;]<\/p>\n","protected":false},"author":43580,"featured_media":71229,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224],"tags":[],"class_list":["post-71215","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"acf":[],"blog_post_summary":"<p>As organizations continue to strengthen their security posture, restricting usage of personal access tokens (PATs) has become a critical area of focus. With the latest public preview of the Restrict personal access token creation policy in Azure DevOps, Project Collection Administrators (PCAs) now have another powerful tool to reduce unnecessary PAT usage and enforce tighter [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/43580"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=71215"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/71215\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/71229"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=71215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=71215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=71215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}