Azure DevOps is taking significant steps to enhance its security measures by moving away from Personal Access Tokens (PATs) as the primary authentication method for its APIs. This shift aims to address the potential security risks associated with PATs, particularly when they are insecurely stored, over-scoped, or set for extended durations.
The Drawbacks of PATs
While PATs have been a common authentication method, they pose several security concerns:
- Vulnerability to unauthorized access
- Potential for insecure storage
- Risk of over-scoping
- Extended durations leading to prolonged exposure
Embracing Microsoft Entra Authentication
Azure DevOps is now recommending the use of Microsoft Entra alternatives for authentication, especially for users with Microsoft Entra accounts and tools that support them. The advantages of Microsoft Entra tokens include:
- Short-lived tokens: Entra tokens expire after just one hour, requiring regular refreshing
- Robust security: The authentication protocols used for Entra tokens are generally more secure
- Enhanced protection: Entra offers additional security measures, such as conditional access policies, to guard against token theft and replay attacks
Transitioning to Entra Tokens
To facilitate the adoption of Entra tokens, Azure DevOps is updating its documentation to showcase various ways these tokens can replace PATs. For scenarios where PATs remain necessary, guidance is provided to minimize associated risks.
Key Resources for Entra Token Implementation
- Authentication with Azure DevOps using Microsoft Entra, including guidance on acquiring single-use Entra tokens via Azure CLI
- Building for Azure DevOps with Microsoft Entra OAuth Apps
- Utilizing service principals and managed identities in Azure DevOps
- Best practices for PAT usage when necessary
Changes to Git Clone Workflows
As part of this security enhancement, Azure DevOps is modifying how users perform git clones in Azure Repos and Azure Wiki repository UI. The “Generate Git Credentials” button, which previously created a 7-day PAT with “vso.code” scope, will be deactivated and eventually removed.
Alternative Approaches for Git Authentication
Azure DevOps now recommends two primary methods for git authentication using Entra tokens:
- Generating ad-hoc Entra tokens for command line use
- Updating Git Credential Manager to issue Entra tokens by default (preferred method)
These approaches have been successfully implemented within Microsoft and are now being shared with the broader Azure DevOps community.
Best Practices for PAT Usage
For users who still need to create PATs with “vso.code” scope for git operations, Azure DevOps advises the following precautions:
- Set short PAT durations with early expiration dates
- Request minimal necessary scopes for git actions
- Revoke PATs promptly when no longer needed
- Regularly rotate PATs if used frequently
Future Plans: Restricting PAT Creation
Looking ahead to 2025, Azure DevOps plans to introduce an organizational policy that will disable PAT creation except for an authorized list of users specified by organization admins. This feature is expected to be released in the coming spring.
Conclusion
The transition from PATs to Microsoft Entra tokens represents a significant step forward in enhancing the security of Azure DevOps. By embracing these new authentication methods and following best practices, organizations can significantly reduce their risk exposure and improve their overall security posture. As Azure DevOps continues to evolve its security measures, users are encouraged to adapt their workflows and explore the more secure alternatives provided.
Read more such articles from our Newsletter here.
