Personal Access Token for a Service Account

Yes it’s possible to create Personal Access Tokens in Azure DevOps for a Service Account and use it for various purposes. I have created a used it for Service accounts for custom Azure DevOps API calls as well for different interactions with Azure DevOps. We can even have an agent running under a service account and use the personal access token created using the service account to connect to Azure DevOps.

Though it can be used for various reasons within organizations, there are some pitfalls too. Sometimes within a organization a PAT created for a service account with full access can be shared across multiple users and if the PAT gets leaked then it will put entire organization at risk as attackers can use the PAT to do whatever they need with Azure DevOps. They would be able to get the code as well as workitems as well as Email IDs

The best possible way is to prevent the scopes of PAT (Personal Access token) when it’s being created and restrict the access of the PAT only the organization from where it’s being created. If a company has multiple organization then restrict the PAT for a service account.