Restricting Global access PAT token creation | Azure DevOps

Right now a PAT (Personal Access Token) can be created for a single organization or for all the organizations that are under the specific Azure Active directory. This can be restricted by enabling this option which would allow creation of PAT tokens only to a specific organization. In other words, a PAT token created for one organization can’t be used for another organization. Let us see what are the steps to implement this restriction in Azure DevOps

Prerequisites: User should have been assigned Azure DevOps Admin role in Azure Active Directory and should be a Project Collection Administrator

Step 1: Go to Organization Settings

Step 2: Click on Azure Active Directory

Step 3: Scroll to the section “Restrict global personal access token creation”

Step 4: Enable the option to restrict global personal access token creation. Once this option is enabled, users wont be able to create PATs for Multiple organizations they are part of.

Step 5: Incase if someone users need to have access to create and the user the same PAT token for multiple organizations then they can be added in the exception list known as allowed list. Users part of the Allowed list would be able to create and use the same PAT for different organizations.