{"id":72252,"date":"2025-12-12T06:15:06","date_gmt":"2025-12-12T14:15:06","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=72252"},"modified":"2026-03-26T05:37:23","modified_gmt":"2026-03-26T13:37:23","slug":"retirement-of-global-personal-access-tokens-in-azure-devops","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/retirement-of-global-personal-access-tokens-in-azure-devops\/","title":{"rendered":"Retirement of Global Personal Access Tokens in Azure DevOps"},"content":{"rendered":"<p>In the new year, we\u2019ll be retiring the <strong>Global Personal Access Token (PAT) type<\/strong> in the Azure DevOps Services product. No changes will be made to global PATs in the Azure DevOps Server product.<\/p>\n<p>Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach creates a concentrated security risk \u2014 especially as a user\u2019s access footprint grows. This level of privilege becomes an attractive target for bad actors, making global tokens unsuitable for today\u2019s security\u2011conscious environments.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat.webp\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat.webp\" alt=\"global pat image\" width=\"643\" height=\"344\" class=\"alignnone size-full wp-image-72253\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat.webp 643w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-300x160.webp 300w\" sizes=\"(max-width: 643px) 100vw, 643px\" \/><\/a><\/p>\n<p>Setting clear boundaries around high\u2011impact credentials is one of the most effective ways to prevent large\u2011scale breaches. As part of Microsoft\u2019s broader security strategy, we are moving away from global, full\u2011scoped PATs and enforcing organizational\u2011level policies that limit token power. We strongly recommend transitioning to <strong>short\u2011lived, Microsoft Entra\u2013backed authentication<\/strong>, which offers modern protections such as improved token governance, stronger identity controls, and reduced risk of credential exposure.<\/p>\n<p>These changes reflect real\u2011world learnings that we have already applied to improve the security posture across Microsoft and many Azure DevOps customers.<\/p>\n<h3>Key Dates<\/h3>\n<ul>\n<li>\n<p><del datetime=\"2026-03-05T16:43:06+00:00\"><strong>March 15, 2026<\/strong> \u2013 Creation of new global PATs and regeneration of existing global PATs will be blocked starting on this date. (It may take 1-2 weeks for this change to apply to your organization.)<\/del> <strong>(Update 03\/05: We will no longer be proceeding with blocking global PAT creation on March 15. You may continue creating global PATs until December 1.)<\/strong><\/p>\n<\/li>\n<li>\n<p><strong>December 1, 2026<\/strong> \u2013 All existing global PATs will be fully decommissioned. Tokens will stop working after this date.<\/p>\n<\/li>\n<\/ul>\n<h3>Review your global PATs<\/h3>\n<p>To determine if you have any global PATs:<\/p>\n<ol>\n<li>Sign in to your organization (<code>https:\/\/dev.azure.com\/{Your_Organization}<\/code>). <\/li>\n<li>From your home page, find the user settings icon <img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/media\/icons\/user-settings-gear.png?view=azure-devops\" alt=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/media\/icons\/user-settings-gear.png\" \/> in the top right header and select <strong>Personal access tokens<\/strong> from the dropdown. <\/li>\n<li>Find the <strong>Access scope<\/strong> dropdown and select <strong>All accessible organizations<\/strong> with Status set to <strong>Active<\/strong>. <\/li>\n<li>Your active global PATs will be listed here.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown.webp\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown.webp\" alt=\"global pat dropdown image\" width=\"1096\" height=\"206\" class=\"alignnone size-full wp-image-72506\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown.webp 1096w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown-300x56.webp 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown-1024x192.webp 1024w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2025\/12\/global-pat-dropdown-768x144.webp 768w\" sizes=\"(max-width: 1096px) 100vw, 1096px\" \/><\/a><\/p>\n<h3>Recommended Actions<\/h3>\n<p>If any of your current workflows rely on global PATs, we encourage you to begin planning your transition now. Options include:<\/p>\n<ul>\n<li>Splitting authentication across individual Azure DevOps organizations, or <\/li>\n<li>Adopting <strong><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/integrate\/get-started\/authentication\/entra?view=azure-devops\" target=\"_blank\">Entra\u2011based, short\u2011lived authentication<\/a><\/strong> in place of PATs.<\/li>\n<\/ul>\n<p>If you are actively using a global PAT, you will receive ongoing email updates throughout the deprecation process.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the new year, we\u2019ll be retiring the Global Personal Access Token (PAT) type in the Azure DevOps Services product. No changes will be made to global PATs in the Azure DevOps Server product. Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach [&hellip;]<\/p>\n","protected":false},"author":43580,"featured_media":72506,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7296],"class_list":["post-72252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","tag-pats"],"acf":[],"blog_post_summary":"<p>In the new year, we\u2019ll be retiring the Global Personal Access Token (PAT) type in the Azure DevOps Services product. No changes will be made to global PATs in the Azure DevOps Server product. Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72252","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/43580"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=72252"}],"version-history":[{"count":2,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72252\/revisions"}],"predecessor-version":[{"id":72595,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/72252\/revisions\/72595"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/72506"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=72252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=72252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=72252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}