There are some best practices that can be followed when creating or allowing users to create Personal Access tokens for an organization. These best practices must be followed by individual user when creating personal access token as well as the organizational admin when setting policies which allow creation of personal access tokens (PAT) in Azure DevOps.
If you are an individual user: Whenever you are creating a PAT (Personal access token) in Azure DevOps make sure that you are limiting the scopes of the token. You need not grant full scopes to a PAT unless it is absolute necessary. And more importantly don’t share PATs with users outside of your team as it is bound to misuse. The reason is if the PAT gets leaked then the attacker would be able to do anything what the attackers want with your PAT. So if you intend to use only PAT only for reading workitems then assign the “read” scope for workitems
If you are an Organizational admin: If you are one of the Project Collection administrators (Org Administrators) then you can implement some certain policies in restricting the creation of PAT. If you are having multiple organizations within your company then you can restrict all the users from creating a PAT for all the organizations. In addition to that you can also restrict them from assigning all the scopes to a Personal Access token.
These are some of the best practices that can be followed for managing personal access tokens.