Using personal access tokens - Azure DevOps (2023)

Article
27.03.2023

Azure DevOps Services | Azure DevOps Server 2022 – Azure DevOps Server 2019 | TFS 2018

You can use a Personal Access Token (PAT) as an alternate password to authenticate with Azure DevOps. In this article, we show you how to create, use, modify, and revoke PATs for Azure DevOps.

About PAT

A personal access token contains your Azure DevOps security credentials. PAT identifies you, your accessible organization and your access area. They are therefore just as important as passwords and should therefore be treated in the same way.

When using Microsoft tools, your Microsoft account (MSA) or Azure Active Directory (Azure AD) are acceptable and well-supported methods. However, if you're using a third-party tool that doesn't support Microsoft or Azure AD accounts - or you don't want to provide your primary credentials to the tool - use PAT to limit your risk.

You can create and manage PATs in any of the following ways:

The user interface in the user settings, which is described in detail in this article
happenPAT Lifecycle Management-API

To set up PAT for non-Microsoft tools, useGit credential managerOr create them manually. We encourage you to read oursCertification GuideHelps you choose the right authentication mechanism. PAT is a simple alternative for smaller projects that require a less robust solution. Unless your users use a credential manager, they must enter their credentials each time.

Create PATs

Remarks

The images you see on the portal may differ from the images you see in this article. These differences are due to Azure DevOps updates or enabled preview features. we activated itNew Account Manager Pagespecial feature. The basic functions available to you remain the same unless specifically mentioned.

Sign in to your organization (https://dev.azure.com/{Ihre Organisation}).
Open the user settings on your start pageand selectPersonal access token.
choose+ new tokens.
Give your token a name, choose the organization you want to use it for, and set your token to automatically expire after a set number of days.
chooseScopeAuthorize this tokenyour specific tasks.
For example, create an activation tokenBuild- und Release-AgentTo authenticate to Azure DevOps Services, set the token scopeProxy pool (read and manage).To read audit log events and manage and delete flows, selectRead audit log, then selectcreate.
Remarks
You may not be able to create a full PAT. If this is the case, your Azure DevOps admin has enabled a policy in Azure AD that restricts you to a specific set of custom scopes. For more information, seeManage PAT/restrict creation of area-wide PAT using policies.For a custom PAT, the scope required to access the Component Governance API.Alle. Governance, not selectable in the user interface.
When you're done, copy the token and keep it in a safe place. For your safety, it will not be displayed again.
See Also
회사 만들기 | 구글 플레이 EMM API | 구글 개발자

to warn

Treat and use PAT like a password and keep it secret.

Sign in to your portal (https://{server}:8080/tfs/).
Open your profile on your homepage. Go to your security details.
Create a personal access token.
Give your token a name. Choose the lifetime of the token.
If you have more than one organization, you can also choose which organization you want to use the token with.
chooseScopeAuthorize this tokenyour specific tasks.
For example, create an activation tokenBuild- und Release-Agentfor authentication, which limits the scope of the tokenProxy pool (read, manage).
When you're done, make sure it iscopy tokens.For your safety, it will not appear again. Use this token as your password. chooseclosure.

Use PAT anywhere in Azure DevOps where user credentials are required for authentication.

important

For organizations backed by Azure Active Directory, you have 90 days to enroll with a new PAT, otherwise it will be considered inactive. For more information, seeFrequency of user login for Conditional Access.

notify

The user will receive two notifications during the lifetime of the PAT - one upon creation and another 7 days before expiry.

After the PAT is created, you will receive a notification similar to the example below. This notification confirms that your PAT has been added to your organization.

The image below shows an example of a 7-day notification before PAT expiration.

For more information, seeConfigure the SMTP server and customize emails for notifications and feedback requests.

unexpected notification

If you receive unexpected PAT notifications, an administrator or tool may have created a PAT on your behalf. Check out the examples below.

When connecting to an Azure DevOps Git repository via git.exe. It creates a token with a friendly name like "git:https://MyOrganization.visualstudio.com/on MyMachine. "
When you or an admin set up Azure App Service web app deployment, a token is created with a friendly name like "Service Hooks::Azure App Service::Deploy Web App".
When you or an administrator set up a web load test as part of a pipeline, a token is created with a friendly name like "WebAppLoadTestCDIntToken".
When the messaging extension is set up for Microsoft Teams integration, a token with the friendly name "Microsoft Teams integration" is created.

to warn

If you think there is an error in the PAT, we encourage you to do soPAT revoked. Then change your password. As an Azure AD user, check with your administrator if your organization has been used by unknown sources or locations. See FAQs tooPAT was accidentally checked into a public GitHub repository.

Use PAT

Your PAT is your identity and represents you when you use it, just like a password.

goddamn

Git interaction requires a username, which can be anything other than an empty string. To use PAT with HTTP basic authentication, useBase64 encodingfor and$MyPat, which is enclosed in the following code block.

Windows
Linux/macOS

Enter the following code in PowerShell.

$MyPat = 'yourPAT'$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("`:$MyPat"))git -c http.extraHeader="Authorization: Basic $B64Pat "See https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

To increase the security of your tokens, use a credential manager so you don't have to re-enter your credentials each time. we recommendGit credential manager.Git for Windowsnecessary.

Existing Repurchase Agreements

For an existing repository, if you have already added the source with your username, run the following command first.

git remote delete origin

Otherwise run the following command.

git remote add origin https://@.visualstudio.com:/path to git repo =/_git/git push -u origin - alle

Use PAT in your code

You can use PAT in your code.

Windows
Linux/macOS

If you want to provide the PAT via an HTTP header, first convert it to a Base64 string. The following example shows the conversion to Base64 with C#.

Authorization: Basic BASE64_USERNAME_PAT_STRING

The resulting string can then be provided as an HTTP header in the following format.

The following example usesHttpClient-Klassein C#.

public static async void GetBuilds(){ try { var personalaccesstoken = "PATFROMWEB";使用 (HttpClient client = new HttpClient()) { client.DefaultRequestHeaders.Accept.Add( new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/ json")); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes( string.Format("{0}:{1}", "", personaccesstoken))));使用 (HttpResponseMessage Response = client.GetAsync( "https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result) { Response.EnsureSuccessStatusCode() ;字符串 ResponseBody = Warten auf Antwort.Content.ReadAsStringAsync(); Console.WriteLine(responseBody); } } } Catch (Exception ex) { Console.WriteLine(ex.ToString()); }}

Notice

If you use variables, add a$at the beginning of the string, as shown in the following example.

public static async void GetBuilds(){ try { var personalaccesstoken = "PATFROMWEB";使用 (HttpClient client = new HttpClient()) { client.DefaultRequestHeaders.Accept.Add( new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/ json")); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes( string.Format("{0}:{1}", "", personaccesstoken))));使用 (HttpResponseMessage Response = client.GetAsync( $"https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result) { Response.EnsureSuccessStatusCode( );字符串 ResponseBody = Warten auf Antwort.Content.ReadAsStringAsync(); Console.WriteLine(responseBody); } } } Catch (Exception ex) { Console.WriteLine(ex.ToString()); }}

If your code works, it's time to switch from basic authentication toOAuth.

For more information and examples of using PAT, see the following articles:

Git credential manager
REST-API
NuGet on Mac
report customers
Get started with the Azure DevOps CLI.

PAT has no effect when IIS Basic Authentication for TFS is enabled. For more information, seeUsing IIS basic authentication with local TFS.

Change PAT

You can regenerate or extend and modify the PATScope.After regeneration, the previous PAT is no longer eligible.

On your homepage, open your user settings and selectOutline.
Under Security, select the optionPersonal access token.Select the token you want to change and thenedit.
Edit the token name, the organization it applies to, the token expiration, or the access scopes associated with the token and selectsave on computer.

PAT revoked

You can revoke PAT at any time for various reasons.

On your homepage, open your user settings and selectOutline.
Under Security, select the optionPersonal access token.Select the token you want to revoke access to, then selectwithdraw.
choosewithdrawin the confirmation dialog.

About security, authentication and authorization
Default permissions and access permissions for Azure DevOps
Revoke user PAT (for admins)

common problem

Q: What happens to PAT when a user account is deactivated?

A: Once a user is removed from Azure DevOps, the PAT expires within an hour. If your organization is connected to Azure Active Directory (Azure AD), PAT will also fail in Azure AD because it is owned by the user. We recommend users to transfer their PAT to another user or service account to keep the service running.

Q: Is there a way to update PAT via REST API?

A: Yes, there is a way to update, manage and create PATs with ourPAT Lifecycle Management-API.See details belowManage PATs using REST APIsand oursFAQ.

Q: Can I use basic authentication with all Azure DevOps REST APIs?

Answer: no. You can use basic authentication with most Azure DevOps REST APIs, butorganization and profilesupport onlyOAuth.See details belowManage PATs using REST APIs.

Q: What happens if I accidentally check my PAT into a public repository on GitHub?

A: Azure DevOps scans the PAT of checked-in public repositories on GitHub. When we detect a leaked token, we immediately send a detailed email notification to the token owner and log the event in your Azure DevOps organizationAudit-Log.unless you turn it offAutomatically revoke compromised personal access tokensPolicy, we immediately revoke the leaked PAT. We encourage affected users to take immediate corrective action by:Revoke leaked tokensand replace it with the new token.

For more information, seeAutomatically revoke leaked PAT.

Q: Can I publish a NuGet package to an Azure Artifacts feed from the dotnet/nuget.exe command line using a personal access token as the ApiKey?

Answer: no. Azure Artifacts doesn't support passing personal access tokens as ApiKeys. When using a local development environment, we recommend installing itAzure Artifact Credential ProviderAuthenticate with Azure Artifacts. For more information, see the following examples:do not point,run program.If you want to publish a package with Azure Pipelines, use theNuGet validationA task to authenticate with your feedExample.

Q: Why is my PAT no longer working?

A: PAT authentication requires you to regularly log in to Azure DevOps with a full authentication flow. Going once every 30 days is enough for many people, but depending on your Azure Active Directory configuration, you may need to log in more frequently. If your PAT stops working, first try logging into your organization and make sure you pass the full authentication prompt. If your PAT still doesn't work after this, check if your PAT has expired.