Restricting Maximum Personal Access Token Lifespan

Personal Access Tokens (PAT) can be created with a maximum lifespan of 1 year. Though this would prevent users from refreshing the PAT token everynow and then, from a security perspective this is a very bad practice. As PAT tokens are bound to be misused if an attacker gets hold of it. Azure DevOps has introduced a feature by which PAT tokens lifespan can be restricted and let us see in the below steps on how to restrict PAT token lifespan

Prerequisites: User should have been assigned Azure DevOps Admin role in Azure Active Directory and should be a Project Collection Administrator

Step 1: Go to Organization Settings

Step 2: Click on Azure Active Directory

Step 3: Scroll to the section “Enforce Maximum Personal Access Token Lifespan”

Step 4: Enable the option to enforce Maximum Personal Access token Lifespan. Once this option is enabled, maximum lifespan of new tokens would be enforced based on the days entered in the “Maximum allowed lifespan”.

Step 5: Incase if someone users need to have access to create PATs with extended lifespan, they can be added in the allow list by using the Add AAD user or group option.

You may also like...