Revoke personal access tokens for organization users

Azure DevOps Services | Azure DevOps Server 2020 | Azure DevOps Server 2019 | TFS 2018 - TFS 2017

If your personal access token (PAT) is compromised, take immediate action. Learn how an administrator can revoke a user's PAT, as a precaution to protect your organization. You can also disable a user, which revokes their PAT. There's latency (up to an hour) before the PAT stops working however, once the disable or delete function completes in Azure Active Directory (Azure AD).

Prerequisites

Only an organization administrator or Project Collection Administrator (PCA) can revoke user PATs. If you're not a member of the Project Collection Administrators group, get added as one. To learn how to find your organization's admin, see Look up administrators and organization Owner.

For users, if you want to create or revoke your own PATs, see Create or revoke personal access tokens.

Revoke PATs

  1. To revoke the OAuth authorizations, including PATs, for your organization's users, see Token revocations - Revoke authorizations.
  2. Use this PowerShell script to automate calling the new REST API by passing a list of user principal names (UPNs). If you don't know the UPN of the user who created the PAT, use this script, however it must be based on a date range.

Note

Keep in mind that when you use a date range any JSON web tokens (JWTs) are also revoked. Also be aware that any tooling that relies on these tokens won't work until refreshed with new tokens.

  1. After you've successfully revoked the affected PATs, let your users know. They can recreate their tokens, as needed.

FedAuth token expiration

A FedAuth token gets issued when you sign in. It's valid for a seven-day sliding window. The expiry automatically extends another seven days whenever you refresh it within the sliding window. If users access the service regularly, only an initial sign-in is needed. After a period of inactivity extending seven days, the token becomes invalid and the user must sign in again.

Personal access token expiration

Users can choose an expiry date for their personal access token, not to exceed one year. We recommend you use shorter time periods, generating new PATs upon expiry. Users receive a notification email one week before token expiry. Users can generate a new token, extend expiry of the existing token, or change the scope of the existing token, if needed.

Frequently asked questions (FAQs)

Q: What if a user leaves my company?

A: Once a user's removed from Azure AD, the PATs and FedAuth tokens invalidate within an hour, since the refresh token is valid only for one hour.

Q: What about JSON web tokens (JWTs)?

A: Revoke JWTs, issued as part of the OAuth flow, via the PowerShell script. However, you must use the date range option in the script.