Personal Access Token (PAT) is used to authenticate Azure DevOps. But, once a new PAT created, it can be shared across multiple organization. It might not be the ideal solution when considering the security aspect. So, Azure DevOps has a new feature to restrict the PAT shared across multiple Azure DevOps organizations.
Pre requisites: Azure DevOps organization which connected to Azure AD
Go to Azure DevOps organization settings and select Azure Active Directory under general section. In there, you would be able to connect to Azure Active Directory.
Go to Azure DevOps Active directory and assign Azure DevOps administrator role to the selected user.
Once Azure DevOps administrator role is assigned, new features will get enabled as shown in the following images.
Following feature allows you to enable the policy to restrict creating global personal access token which works for all organizations. This means personal access token must be associated with only one Azure DevOps organization. However, you can use the "Allow List" to enable global PAT for users or groups.
Following feature allows you to enable the policy to restrict creating full scoped personal access token. Which means, you can create PAT with limited and defined scope, but not for all scopes. However, there is an Allow list to exempt any user or group from this restriction.
Following feature allows you to set maximum lifespan for personal access token. If a user or group need to use their personal access tokens more than the defined maximum life, here you can use the allow list to exempt users and groups from this condition.
No comments:
Post a Comment