{"id":62780,"date":"2021-11-09T11:04:40","date_gmt":"2021-11-09T19:04:40","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=62780"},"modified":"2021-11-09T11:04:40","modified_gmt":"2021-11-09T19:04:40","slug":"issue-with-extension-publishing","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/issue-with-extension-publishing\/","title":{"rendered":"Known issue with publishing extensions: \u201cYour ability to create global personal access tokens (PATs) is restricted by your organization.\u201d"},"content":{"rendered":"<p>If you\u2019ve run into trouble while trying to <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/extend\/publish\/command-line?view=azure-devops#acquire-a-pat\">publish<\/a> an Azure DevOps or Visual Studio extension to the <a href=\"https:\/\/marketplace.visualstudio.com\/azuredevops\">Visual Studio Marketplace<\/a>, please ask your administrator if they have enabled the new <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-global-pats\">policy<\/a> to restrict the creation of global personal access tokens (PATs).<\/p>\n<h2>Symptom<\/h2>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes-284x300.png\" alt=\"Image PAT Creation Symptom Screenshot\" width=\"426\" height=\"450\" class=\"alignnone size-medium wp-image-62781\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes-284x300.png 284w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes-969x1024.png 969w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes-768x812.png 768w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes-24x24.png 24w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2021\/11\/PAT_Creation_Symptom_Screenshot_With_Boxes.png 1056w\" sizes=\"(max-width: 426px) 100vw, 426px\" \/><\/a><\/p>\n<p>Today, in order to publish an extension to the <a href=\"https:\/\/marketplace.visualstudio.com\/azuredevops\">Visual Studio Marketplace<\/a> using the Cross-platform CLI for Azure DevOps (tfx-cli), you must create a <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/extend\/publish\/command-line?view=azure-devops#acquire-a-pat\">personal access token<\/a> that applies to all accessible organizations (a \u201cglobal PAT\u201d). Note that you only need a personal access token if you are publishing via the CLI; you do not need a PAT to publish via the <a href=\"https:\/\/marketplace.visualstudio.com\/manage\/\">Visual Studio Marketplace Web Portal<\/a>.<\/p>\n<p>If you are unable to create a personal access token for all accessible organizations with the desired marketplace scopes, you will not be able to publish extensions to Visual Studio marketplace from your organization via the CLI.<\/p>\n<h2>Cause<\/h2>\n<p>Azure DevOps released several new security features which allow company administrators to restrict the creation of personal access tokens. One such feature prevents the creation of personal access tokens that apply to all accessible organizations (\u201cglobal PATs\u201d). By default, the policy is disabled and users are free to create global personal access tokens (PATs). However, once enabled, the policy prevents the creation of global PATs and in turn, prevents users from publishing to the marketplace with the CLI.<\/p>\n<h2>Workarounds<\/h2>\n<p>If you need to publish an extension through CLI and have been blocked by the new policy, the primary workaround is to ask your <a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/roles\/permissions-reference#azure-devops-administrator\">administrator<\/a> to add your user account to the <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops#add-azure-ad-users-or-groups-to-the-allowlist\">allowlist<\/a> for the policy. Azure AD users and groups added to the allowlist will be exempt from the restriction and will be able to create PATs appropriate for publishing to the marketplace.<\/p>\n<p>Additionally, <a href=\"https:\/\/docs.microsoft.com\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops\">the policy can be turned on or off altogether<\/a>. By default, it is set to off.<\/p>\n<h2>Other Issues?<\/h2>\n<p>If neither of the workarounds work for you, or if you\u2019re having other issues, please let us know by commenting below. We apologize for the inconvenience as we work towards a long-term solution.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019ve run into trouble while trying to publish an Azure DevOps or Visual Studio extension to the Visual Studio Marketplace, please ask your administrator if they have enabled the new policy to restrict the creation of global personal access tokens (PATs).<\/p>\n","protected":false},"author":51297,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[228,229],"tags":[],"class_list":["post-62780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-admin-licensing","category-community"],"acf":[],"blog_post_summary":"<p>If you\u2019ve run into trouble while trying to publish an Azure DevOps or Visual Studio extension to the Visual Studio Marketplace, please ask your administrator if they have enabled the new policy to restrict the creation of global personal access tokens (PATs).<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/62780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/51297"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=62780"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/62780\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=62780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=62780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=62780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}