Azure DevOps - Sprint 188 Update
Features
- Restrict personal access token (PAT) scope and lifespan via Azure AD tenant policy
- Conditional access policy support for IPv6 traffic
Restrict personal access token (PAT) scope and lifespan via Azure AD tenant policy
Personal access tokens (PATs) make it easy to authenticate against Azure DevOps to integrate with your tools and services. However, leaked tokens could compromise your Azure DevOps account and data, putting your applications and services at risk.
We received feedback about administrators not having the necessary controls to limit the threat surface area posed by leaked PATs. Based on these feedback, we’ve added a new set of policies which can be used to restrict the scope and lifespan of your organization’s Azure DevOps personal access tokens (PATs)! Here’s how they work:
Users assigned to the Azure DevOps Administrator role in Azure Active Directory can navigate to the Azure Active Directory tab in the organization settings of any Azure DevOps organization linked to their Azure AD.

There, administrators can:
- restrict the creation of global personal access tokens (tokens that work for all Azure DevOps organizations accessible by the user)
- restrict the creation of full-scoped personal access tokens
- define a maximum lifespan for new personal access tokens
These policies will apply to all new PATs created by users for Azure DevOps organizations linked to the Azure AD tenant. Each of the policies have an allow list for users and groups who should be exempt from the policy. The list of users and groups in the Allow list will not have access to manage policy configuration.
These policies only apply to new PATs, and will not affect existing PATs that have already been created and are in use. After the policies have been enabled however, any existing, now non-compliant PATs must be updated to be within the restrictions before they can be renewed.
Conditional access policy support for IPv6 traffic
We are now extending conditional access policy (CAP) support to include IPv6 fencing policies. As we see people increasingly access Azure DevOps resources on devices from IPv6 addresses, we want to ensure that your teams are equipped to grant and remove access from any IP address, including those coming from IPv6 traffic.
Next steps
Note
These features will roll out over the next two to three weeks.
Head over to Azure DevOps and take a look.
How to provide feedback
We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.

You can also get advice and your questions answered by the community on Stack Overflow.