In the new year, we’ll be retiring the Global Personal Access Token (PAT) type in Azure DevOps. Global PATs allow users to authenticate across all accessible organizations. While this can feel convenient, a single credential with broad reach creates a concentrated security risk — especially as a user’s access footprint grows. This level of privilege becomes an attractive target for bad actors, making global tokens unsuitable for today’s security‑conscious environments. Setting clear boundaries around high‑impact credentials is one of the most effective ways to prevent large‑scale breaches. As part of Microsoft’s broader security strategy, we are moving away from global, full‑scoped PATs and enforcing organizational‑level policies that limit token power. We strongly recommend transitioning to short‑lived, Microsoft Entra–backed authentication, which offers modern protections such as improved token governance, stronger identity controls, and reduced risk of credential exposure. These changes reflect real‑world learnings that we have already applied to improve the security posture across Microsoft and many Azure DevOps customers. Key Dates - March 15, 2026 – Creation of new global PATs and regeneration of existing global PATs will be blocked. - December 1, 2026 – All existing global PATs will be fully decommissioned. Tokens will stop working after this date. Recommended Actions If any of your current workflows rely on global PATs, we encourage you to begin planning your transition now. Options include: - Splitting authentication across individual Azure DevOps organizations, or - Adopting Entra‑based, short‑lived authentication in place of PATs. Users with active global PATs will receive additional guidance via email to support a successful migration. 0 comments Be the first to start the discussion.