Use personal access tokens - Azure DevOps (2023)

Article
28.11.2022
9 minutes to read

Azure DevOps-Dienste | Azure DevOps-Server 2022 – Azure DevOps-Server 2019 | TF 2018

You can use a Personal Access Token (PAT) as an alternate password to authenticate to Azure DevOps. In this article, we show you how to create, use, modify, and revoke PATs for Azure DevOps.

About PATs

A personal access token contains your Azure DevOps security credentials. A PAT identifies you, your accessible organizations and access areas. As such, they are just as important as passwords, so you should treat them the same way.

When working with Microsoft tools, your Microsoft Account (MSA) or Azure Active Directory (Azure AD) is an acceptable and well-supported approach. However, if you're working with third-party tools that don't support Microsoft or Azure AD accounts, or if you don't want to provide your primary credentials to the tool, use PATs to limit your risk.

You can create and manage your PATs in any of the following ways:

the user interface in your user settings, which is described in detail in this article
through thePAT-Lifecycle-Management-API

To set up PATs for non-Microsoft tools, useGit credential manageror create it manually. We encourage you to check oursAuthentication Guideto help you choose the right authentication mechanism. For smaller projects that require a less robust solution, PATs are an easy alternative. Unless your users use a credential manager, they must enter their credentials each time.

Create a PAT

note

The images you see on your web portal may differ from the images in this article. These differences result from updates made to Azure DevOps or enabled preview features. We activated itNew account manager pageFeature. The basic functionality available to you remains the same unless specifically stated.

Sign in to your organization (https://dev.azure.com/{IhreOrganisation}).
Open the user settings on your start pageand selectPersonal Access Tokens.
Choose+ New token.
Name your token, choose the organization where you want to use the token, and then set your token to automatically expire after a set number of days.
Chooseareasto authorize for this tokenyour specific tasks.
For example, to create a token to: aconstruction and release agentsTo authenticate to Azure DevOps Services, scope your token toAgent Pools (Read & Manage). To read audit log events and manage and delete streams, selectRead audit log, and then selectCreate.
note
You may not be allowed to create full PATs. If this is the case, your Azure DevOps admin has enabled a policy in Azure AD that restricts you to a specific custom set of scopes. For more information, seeManage PATs with policies/Restrict creation of full PATs.For a custom PAT, the scope required to access the Component Governance API,all.governance, is not selectable in the user interface.
When you're done, copy the token and save it somewhere safe. For your security, it will no longer be displayed.

warning

Treat and use a PAT like your password and keep it secret.

Login to your web portal (https://{Server}:8080/tfs/).
Open your profile on your homepage. Go to your security details.
Create a personal access token.
Name your token. Choose a lifetime for your token.
If you have more than one organization, you can also select the organization where you want to use the token.
Chooseareasto authorize for this tokenyour specific tasks.
For example, to create a token to: aconstruction and release agentsTo authenticate, limit the scope of your token toAgent pools (read, manage).
When you're done, make sure you do itCopy the token. For your security, it will no longer be displayed. Use this token as your password. ChooseClose.

Use your PAT anywhere your user credentials are required for authentication in Azure DevOps.

Important

Organizations backed by Azure Active Directory have 90 days to enroll with their new PAT, otherwise it will be considered inactive. For more information, seeFrequency of user login for Conditional Access.

notifications

Users receive two notifications during the lifetime of a PAT - one upon creation and the other seven days before expiration.

After creating a PAT, you will receive a notification similar to the example below. This notification confirms that your PAT has been added to your organization.

The image below shows an example of the seven-day notification before your PAT expires.

For more information, seeConfigure an SMTP server and customize email for alerts and feedback requests.

Unexpected notification

If you receive an unexpected PAT notification, an administrator or tool may have created a PAT on your behalf. See the examples below.

When connecting to an Azure DevOps Git repository via git.exe. it creates a token with a friendly name like "git:https://MeineOrganisation.visualstudio.com/on MyMachine."
When you or an admin set up an Azure App Service web app deployment, a token is created with a friendly name like "Service Hooks: : Azure App Service: : Deploy web app".
When you or an admin set up webload tests as part of a pipeline, a token is created with a friendly name like "WebAppLoadTestCDIntToken".
When a messaging extension is set up for Microsoft Teams integration, it creates a token with a friendly name like "Microsoft Teams integration".

warning

If you believe a PAT incorrectly exists, we encourage youPAT revoked. Then change your password. As an Azure AD user, check with your administrator if your organization was used from an unknown source or location. See also the FAQ aboutaccidentally checking in a PAT to a public GitHub repository.

Use a PAT

Your PAT is your identity and represents you when you use it, just like a password.

Git

Git interactions require a username, which can be anything but the empty string. To use a PAT with HTTP basic authentication, useBase64 encodingfor and$MyPat, which is included in the following code block.

window
Linux/macOS

Enter the following code in PowerShell.

$MyPat = 'yourPAT'$B64Pat = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("`:$MyPat"))git -c http.extraHeader="Authorization: Basic $B64Pat " Klonen Sie https://dev.azure.com/yourOrgName/yourProjectName/_git/yourRepoName

To keep your token more secure, use Credential Manager so you don't have to enter your credentials every time. We recommendGit Credentials Manager.Git for Windowsis required.

Existing repos

For existing repositories, if you have already added the origin with the username, run the following command first.

git removes remove root

Otherwise, run the following command.

git remote add origin https://<PAT>@<company_machineName>.visualstudio.com:/<path-to-git-repo> path to git repo = <project name>/_git/<repo_name> git push -u origin --alle

Use a PAT in your code

You can use a PAT in your code.

window
Linux/macOS

If you want to provide the PAT via an HTTP header, first convert it to a Base64 string. The following example shows how to convert to Base64 using C#.

Authorization: Basic BASE64_USERNAME_PAT_STRING

The resulting string can then be provided as an HTTP header in the following format.

The following example uses theHttpClient-Klassein C#.

public static async void GetBuilds(){ try { var personalaccesstoken = "PATFROMWEB"; using (HttpClient client = new HttpClient()) { client.DefaultRequestHeaders.Accept.Add( new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json")); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String( System.Text.ASCIIEncoding.ASCII.GetBytes( string.Format("{0}:{1}", "", personalaccesstoken)))); using (HttpResponseMessage response = client.GetAsync( "https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result) { response.EnsureSuccessStatusCode() ; string responseBody = Antwort erwarten.Content.ReadAsStringAsync(); Console.WriteLine (Antworttext); } } } catch (Ausnahme Bsp.) { Console.WriteLine(ex.ToString()); }}

Top

If you use variables, add a$at the beginning of the string, as in the following example.

public static async void GetBuilds(){ try { var personalaccesstoken = "PATFROMWEB"; using (HttpClient client = new HttpClient()) { client.DefaultRequestHeaders.Accept.Add( new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json")); client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", Convert.ToBase64String( System.Text.ASCIIEncoding.ASCII.GetBytes( string.Format("{0}:{1}", "", personalaccesstoken)))); using (HttpResponseMessage response = client.GetAsync( $"https://dev.azure.com/{organization}/{project}/_apis/build/builds?api-version=5.0").Result) { response.EnsureSuccessStatusCode( ); string responseBody = Antwort erwarten.Content.ReadAsStringAsync(); Console.WriteLine (Antworttext); } } } catch (Ausnahme Bsp.) { Console.WriteLine(ex.ToString()); }}

When your code works, it's a good time to move from basic authentication toOAuth.

For more information and examples of using PATs, see the following articles:

Git credential manager
REST-APIs
NuGet on a Mac
report customers
Get started with the Azure DevOps CLI.

If you enable IIS basic authentication for TFS, PATs are not valid. For more information, seeUsing IIS Basic Authentication with TFS locally.

Change a PAT

You can regenerate or extend a PAT and modify itScope. After regeneration, the previous PAT is no longer eligible.

From your home page, open your user settings, then selectProfile.
Select under SecurityPersonal Access Tokens. Select the token you want to change and thenTo edit.
Edit the token's name, the organization it applies to, the token's expiration, or the scope of access associated with the token, and then selectSave on computer.

Revoke a PAT

You can revoke a PAT at any time for a variety of reasons.

From your home page, open your user settings, then selectProfile.
Select under SecurityPersonal Access Tokens. Select the token you want to revoke access for, and then selectWithdraw.
ChooseWithdrawin the confirmation dialog.

About security, authentication and authorization
Default permissions and access for Azure DevOps
Revoke user PATs (for admins)

frequently asked Questions

Q: What happens to a PAT when a user account is deactivated?

A: Once a user is removed from Azure DevOps, the PAT expires within 1 hour. If your organization is connected to Azure Active Directory (Azure AD), the PAT will also be invalidated in Azure AD as it is owned by the user. We recommend that the user rotate their PAT to another user or service account to keep the services running.

Q: Is there a way to renew a PAT via REST API?

A: Yes, there is a way to renew, manage and create PATs with ourPAT-Lifecycle-Management-APIs. For more information, seeManage PATs with the REST APIand oursFAQ.

Q: Can I use basic authentication with all Azure DevOps REST APIs?

On a. You can use basic authentication with most Azure DevOps REST APIs, butorganizations and profilesonly supportOAuth. For more information, seeManage PATs with the REST API.

Q: What happens if I accidentally check my PAT into a public repository on GitHub?

A: Azure DevOps scans for PATs checked into public repositories on GitHub. If we find a leaked token, we'll immediately send a detailed email notification to the token owner and log an event to your Azure DevOps organizationAudit-Log. We urge affected users to pay compensation immediatelyRotate or revoke the leaked PAT.

There is a policy for managing leaked PATs! For more information, seeAutomatically revoke leaked PATs.

Q: Can I use a personal access token as an ApiKey to publish NuGet packages to an Azure Artifacts feed using the dotnet/nuget.exe command line?

On a. Azure Artifacts doesn't support passing a personal access token as an ApiKey. When using a local development environment, we recommend installing theAzure Artifacts Credential Providerto authenticate to Azure Artifacts. For more details, see the following examples:do not point,NuGet.exe.If you want to publish your packages using Azure Pipelines, use theNuGet authenticationTask to authenticate to your feedexample.