Authenticate access with personal access tokens for VSTS and TFS

VSTS | TFS 2017

Visual Studio Team Services (VSTS) and Team Foundation Server (TFS) use enterprise-grade authentication, backed by Microsoft account or Azure Active Directory (Azure AD), to protect and secure your data. Clients like Visual Studio and Eclipse (with the Team Explorer Everywhere plug-in) natively support Microsoft account and Azure AD authentication, so you can directly use those authentication methods to sign in.

For non-Microsoft tools that integrate into VSTS but do not support Microsoft account or Azure AD authentication interactions (for example, Git, NuGet, or Xcode), you need to set up personal access tokens by using Git credential managers or by creating PATs manually (see below). You can also use personal access tokens when there is no "pop up UI" such as with command-line tools, integrating tools or tasks into build pipelines, or using REST APIs.

Personal access tokens essentially are alternate passwords that you create in a secure way using your normal authentication, and PATs can have expiration dates, limited scopes (for example, only certain REST APIs or command line operations are valid), and specific VSTS accounts. You can put them into environment variables so that scripts do not hardcode passwords. For more information, see Authentication overview and scopes.

Create personal access tokens to authenticate access

  1. Sign in to either your VSTS account (https://{youraccount} or your Team Foundation Server web portal (https://{server}:8080/tfs/).

  2. From your home page, open your profile. Go to your security details.

    TFS 2017

    Go to VSTS account home, open your profile, go to Security


    TFS home page, open your profile, go to Security

  3. Create a personal access token.

    Add a personal access token

  4. Name your token. Select a lifespan for your token.

    If you're using VSTS, and you have more than one account, you can also select the VSTS account where you want to use the token.

    Name your token, select a lifespan. If using VSTS, select an account for your token

  5. Select the scopes that this token will authorize for your specific tasks.

    For example, to create a token to enable a build and release agent to authenticate to VSTS or TFS, limit your token's scope to Agent Pools (read, manage).

  6. When you're done, make sure to copy the token. You'll use this token as your password.

    Use token as the password for your git tools or apps

    Note: Remember that this token is your identity and acts as you when it's used. Keep your tokens secret and treat them like your password.

    Tip: To keep your token more secure, use credential managers so that you don't have to enter your credentials every time. Here are some recommended credential managers:

Revoke personal access tokens to remove access

When you don't need your token anymore, just revoke it to remove access.

  1. From your home page, open your profile. Go to your security details.


    Go to VSTS account home page, open your profile, go to Security

    TFS 2017

    Go to TFS home page, open your profile, go to Security

  2. Revoke access.

    Revoke a token or all tokens

Using PATs

For example using PATs, see using Git credential managers, REST APIs, NuGet on a Mac, and Reporting clients.