Personal Access Tokens in Azure DevOps

Personal Access Tokens (PAT) can be used to connect to Azure DevOps APIs as well as to the Azure DevOps services by different means. These PAT tokens are just like your passwords and it gives full access to Azure DevOps and it’s services, so treat Personal Access Tokens (PAT) like secrets as if they are exposed, an attacker can full access to Azure DevOps services and can also read the code in Azure DevOps.

Creating a Personal Access Token in Azure DevOps: Personal Access Tokens can be either created through Azure DevOps UI or through the API calls if a user has the required access. Let us see how to create a personal access token through Azure DevOps UI in the below steps

Step1: Click on User Settings icon next and then click on Personal access tokens

Step2: Enter a name for Personal access tokens and then select the scopes as well as expiration date for the PAT token. There are different scopes you can select for a PAT and you need not give full access every time whenever a PAT is created as it’s too dangerous to give full access to PAT

Step3: Once the scopes are chosen along with the expiration date, click on create. Once you have clicked on the create button, Personal access token will be created.

Step4: Copy the PAT and use it right away, this is because if we move away from the page then the PAT token won’t be visible for you again to be used. Either store it in a Azure keyvault as a secret so that it can be used again

There are some certain best practices that needs to be followed when creating a personal access token as an exposed PAT might cause lot of issues as an attacker would be able to read workitems, get email addresses as well as other details