As organizations continue to strengthen their security posture, restricting usage of personal access tokens (PATs) has become a critical area of focus. With the latest public preview of the Restrict personal access token creation policy in Azure DevOps, Project Collection Administrators (PCAs) now have another powerful tool to reduce unnecessary PAT usage and enforce tighter controls across their organizations.
This has been one of our most requested features — we’re excited to finally deliver it.
Why This Matters
PATs are a convenient way for users to authenticate with Azure DevOps, but they also pose a risk if not properly managed. Long-lived or overly permissive tokens can become a vector for unauthorized access. We have tenant-level policies that help target these risk vectors by limiting full-scope and global PATs or reducing a PAT’s maximum lifespan.
This new organization-level policy mitigates that risk further by giving administrators the ability to control who can create or regenerate PATs.
What’s New
Once enabled, the Restrict personal access token creation policy prevents users from creating or regenerating PATs unless they are explicitly allowed. Here’s what you need to know:
- Default Behavior: For new organizations, the policy is enabled by default. For existing organizations, it remains off until manually turned on.
- Existing PATs: Tokens already in use will continue to function until they expire.
- Global PAT Usage: Global PATs cannot be used in an organization unless the user is added to an allowlist.
Tip: Combine this policy with the “Set maximum lifespan for new PATs” setting to further reduce token sprawl and enforce short-lived credentials.
How to Enable the Policy
-
Sign in to your organization at https://dev.azure.com/{yourorganization}.
-
Navigate to Organization settings via the gear icon.
-
Select Policies, then locate Restrict personal access token creation.
-
Toggle the policy on and configure the sub-policies as needed.
Managing Exceptions
Need to make exceptions? You can add specific Microsoft Entra users or groups to an allowlist:
-
Click Manage next to “Allow list” under the “Allow creation of PAT of any scope for selected users and groups” subpolicy.
-
Search for and select Microsoft Entra users or groups.
-
Check the box for the subpolicy.
Once configured, these users will retain the ability to create PATs of any scope, even with the policy enabled.
Supporting Packaging Scenarios
Some packaging workflows still rely on PATs. To support these cases without compromising broader security goals, you can enable the “Allow creation of PAT with packaging scope only” option. This limits token creation to packaging scopes for users not on the allowlist.
Final Thoughts
This policy is a significant step forward in reducing PAT usage and aligning Azure DevOps with modern identity and access management practices. By enabling it, organizations can better protect their environments while still supporting essential workflows.
We’d love to hear from you—has this policy helped your team reduce PAT usage? Are there additional controls you’d like to see? Let us know in the comments below!
The post Restricting PAT Creation in Azure DevOps Is Now in Preview appeared first on Azure DevOps Blog.
