{"id":66050,"date":"2022-11-09T14:01:54","date_gmt":"2022-11-09T22:01:54","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/devops\/?p=66050"},"modified":"2022-11-09T14:01:54","modified_gmt":"2022-11-09T22:01:54","slug":"all-azure-devops-rest-apis-now-support-pat-scopes","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/all-azure-devops-rest-apis-now-support-pat-scopes\/","title":{"rendered":"All Azure DevOps REST APIs now support PAT scopes"},"content":{"rendered":"<p>Recently, the Azure DevOps team completed an initiative to associate all Azure DevOps REST APIs with a granular personal access token (PAT) scope. As part of our ongoing investments in security, we undertook this effort to reduce the risks associated with a leaked PAT credential. Previously, a number of Azure DevOps REST APIs were not associated with a PAT scope, which at times led customers to consume these APIs using full-scoped PATs. The broad permissions of a full-scoped PAT (all permissions of their corresponding user), in the hands of a malicious actor, represent a significant security risk to organizations, given the potential to access source code, production infrastructure, and other valuable assets.<\/p>\n<p>If you are currently using a full-scoped PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with the specific scope accepted by the API to avoid unnecessary access. The supported granular PAT scope(s) for a given REST API can be found in the Security -> Scopes section of the REST API documentation pages.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/11\/scopeInApiDocs-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/11\/scopeInApiDocs-1.png\" alt=\"PAT Scope in REST API Docs Example\" width=\"926\" height=\"778\" class=\"aligncenter size-full wp-image-66053\" srcset=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/11\/scopeInApiDocs-1.png 926w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/11\/scopeInApiDocs-1-300x252.png 300w, https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2022\/11\/scopeInApiDocs-1-768x645.png 768w\" sizes=\"(max-width: 926px) 100vw, 926px\" \/><\/a><\/p>\n<p>Moreover, these improvements should allow even more customers to restrict creation of full-scoped PATs by enabling the <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/devops\/organizations\/accounts\/manage-pats-with-policies-for-administrators?view=azure-devops#restrict-creation-of-full-scoped-pats\">corresponding control plane policy<\/a>.<\/p>\n<p>We look forward to continuing to ship improvements which will help customers secure their DevOps environments. As always, if you have questions or feedback, feel free to share below.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently, the Azure DevOps team completed an initiative to associate all Azure DevOps REST APIs with a granular personal access token (PAT) scope. As part of our ongoing investments in security, we undertook this effort to reduce the risks associated with a leaked PAT credential. Previously, a number of Azure DevOps REST APIs were not [&hellip;]<\/p>\n","protected":false},"author":103515,"featured_media":66059,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[224,1,251],"tags":[],"class_list":["post-66050","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-devops","category-security"],"acf":[],"blog_post_summary":"<p>Recently, the Azure DevOps team completed an initiative to associate all Azure DevOps REST APIs with a granular personal access token (PAT) scope. As part of our ongoing investments in security, we undertook this effort to reduce the risks associated with a leaked PAT credential. Previously, a number of Azure DevOps REST APIs were not [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/66050","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/103515"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=66050"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/66050\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/66059"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=66050"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=66050"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=66050"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}