Reputation: 2998
How to efficiently handle Personal Access Token in Azure DevOps organization?
Context:
We are using Azure DevOps and we are starting to leverage more and more PATs in our DevOps cycles and processes. We have about 30 users and each one of them creates a bunch of them under their personal account for different use cases.
Here are some scenarios where they are used:
- Self-hosted agents configuration (Windows and dockers)
- API call for Microsoft Teams bots
- Homemade integration with Azure DevOps and other systems
- etc.
Basically, we are starting to loose a bit the control over:
- What kind of PATs are created
- Where are the PATs used
- Which scopes defined on the PATs
As an example, we have some users that create PATs to configure agents. They will give the full access to this PAT, instead of selecting the proper scopes for it. As we know, end users don't really care about security and we are aware that we need educate our developer. However, we still want to have way to control those PATs.
Questions:
- Is there a way to view in the organization level all the PATs that used?
- Is it possible to remove the possibility for a specific user to create PATs and only give that feature to the admin users?
- Is it possible to revoke all the PATs on the organization level?
- Can you share your experience(s) and tips on how you efficiently handle PATs in your organization and more specifically on the security aspect?
Upvotes: 6
Views: 868
Answers (1)
Reputation: 66
Maybe this could help you to restrict the usage of the PATs
Is there a way to view in the organization level all the PATs that used?
Not that I know
Is it possible to remove the possibility for a specific user to create PATs and only give that feature to the admin users?
From the article, yes it is now possible for the administrator to do so
Is it possible to revoke all the PATs on the organization level?
Upvotes: 1
Related Questions
- Azure devops rest api bearer token
- User List with API and Continuation Token for Azure Devops
- Using a personal access token for azure devops API repository manipulation
- Azure DevOps Environment under useraccount with no password
- Azure DevOps OAuth organization policies API
- Azure DevOps deployment to VM using Personal Access Token
- Manage User - Custom
- Is there a way in Azure DevOps settings to create a Personal Access Tokens (PAT) equivalent that is not associated with a single user?
- What would be the best way to manage cloud credentials as part of an Azure DevOps build pipeline?
- Programmatically Generate Personal Access Token for VSTS