No more excuse for over-permissive PATs in Azure DevOps!

Microsoft recently made another security improvement for Azure / Azure DevOps users! Previously some Azure DevOps APIs were not associated with a PAT scope. Calling those APIs programmatically required “excessive” full scoped PATs :(

With the recent improvement, security teams have no reason not to restrict full scoped PAT creation. So if you’re yet to, start putting processes in place to restrict who can create PATs and also deny the creation of full scoped PATs (Organization Settings → Azure Active Directory)

If you do not see this option, it is probably because you have not linked your Ornagization to an Azure AD tenant or your user account is not assigned to the “Azure DevOps Administrator” role!

READ MORE:

• https://devblogs.microsoft.com/devops/all-azure-devops-rest-apis-now-support-pat-scopes/?WT.mc_id=AZ-MVP-5003870
• https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-pats-with-policies-for-administrators?WT.mc_id=AZ-MVP-5003870