Menu
Context:
We are using Azure DevOps and we are starting to leverage more and more PATs in our DevOps cycles and processes. We have about 30 users and each one of them creates a bunch of them under their personal account for different use cases.
Here are some scenarios where they are used:
Basically, we are starting to loose a bit the control over:
As an example, we have some users that create PATs to configure agents. They will give the full access to this PAT, instead of selecting the proper scopes for it. As we know, end users don't really care about security and we are aware that we need educate our developer. However, we still want to have way to control those PATs.
Questions:
213
From your home page, open your user settings , and then select Profile. Under Security, select Personal access tokens. Select the token you want to modify, and then Edit. Edit the token name, organization it applies to, token expiration, or the scope of access that's associated with the token, and then select Save.
Maybe this could help you to restrict the usage of the PATs
https://devblogs.microsoft.com/devops/new-policies-to-restrict-personal-access-token-scope-and-lifespan/
Is there a way to view in the organization level all the PATs that used?
Not that I know
Is it possible to remove the possibility for a specific user to create PATs and only give that feature to the admin users?
From the article, yes it is now possible for the administrator to do so
Is it possible to revoke all the PATs on the organization level?
Yes it is, see https://learn.microsoft.com/en-us/rest/api/azure/devops/tokenadministration/token%20revocations/revoke%20authorizations?view=azure-devops-rest-5.0&preserve-view=true
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
