Revoke organization user’s personal access tokens (for admins)

Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2020

If a Personal Access Token (PAT) is compromised, it’s crucial to act swiftly. Administrators can revoke a user’s PAT to safeguard the organization. Disabling a user’s account also revokes their PAT.

Why revoke user PATs?

Revoking user PATs is essential for the following reasons:

  • Compromised token: Prevent unauthorized access if a token is compromised.
  • User leaves the organization: Ensure former employees no longer have access.
  • Permission changes: Invalidate tokens reflecting old permissions.
  • Security breach: Mitigate unauthorized access during a breach.
  • Regular security practices: Regularly revoke and reissue tokens as part of a security policy.

Prerequisites

CategoryRequirements
PermissionsMember of the Project Collection Administrators group. Organization owners are automatically members of this group.

Revoke PATs

  1. To revoke OAuth authorizations, including PATs, for your organization’s users, see Token revocations – Revoke authorizations.
  2. To automate calling the REST API, use this PowerShell script, which passes a list of user principal names (UPNs). If you don’t know the UPN of the user who created the PAT, use this script with a specified date range.
  3. After you successfully revoke the affected PATs, inform your users. They can recreate their tokens as necessary.

There might be a delay of up to one hour before the PAT becomes inactive, as this latency period persists until the disable or delete operation is fully processed in Microsoft Entra ID.

FedAuth token expiration

A FedAuth token gets issued when you sign in. It’s valid for a seven-day sliding window. The expiry automatically extends another seven days whenever you refresh it within the sliding window. If users access the service regularly, only an initial sign-in is needed. After a period of inactivity extending seven days, the token becomes invalid and the user must sign in again.

PAT expiration

Users can choose an expiry date for their PAT, not to exceed one year. We recommend using shorter time periods and generating new PATs upon expiry. Users receive a notification email one week before the token expires. Users can generate a new token, extend the expiry of the existing token, or change the scope of the existing token if needed.

Auditing logs

If your organization is connected to Microsoft Entra ID, you have access to audit logs that track various events, including permissions changes, deleted resources, and log access. These audit logs are valuable for checking revocations or investigating any activity. For more information, see Access, export, and filter audit logs.

Was this article helpful?

Report Inaccuracy

On this page

Driving ROI for businesses by leveraging the power of AI to Transform Ideas into Impactful Applications.

QUICK LINKS
PRODUCT
LEGAL
RESOURCES
REACH US OUT

XNODE Inc. provides access to its platform on an “as is” basis, and by using the platform, you agree to hold XNODE harmless and indemnify it from any claims arising from your use. Any access to materials, software, hosting, data development, design, “generative” solutions or other things are provided “as is”. Any materials or designs created may not be saved and will be subject to deletion. By using the Platform you acknowledge that you will participate in feedback discussions and provide bug reports. XNODE reserves all rights to the Platform. XNODE is dedicated to protecting your personal data. Click here to view our Privacy Policy

Copyright © XNODE Inc., All Rights Reserved