To allow customers more agency with their PAT scope Microsoft has introduced a big change, recently a new initiative by the Azure DevOps team has been taken which supports granular personal access token PAT scope. The change is a part of their ongoing investments in security this initiative was taken to decrease the risks linked to leaks of PAT credentials. This initiative has drastically changed Azure DevOps as it links all Azure DevOps REST APIs to PAT; which at times led customers to consume these APIs using full-scoped PATs. This broad permissions of full-scoped PAT in the hands of someone dangerous poses a serious threat as the potential of security threat has been increased due to increased access to source codes, valuable assets and production infrastructure.
If you are a current user of Full-scoped PAT then consider migrating to PAT with limited scope to avoid any security breach. This can be done by taking a few simple steps as the supported granular PAT scope(s) for a given REST API can be found in the security -> Scopes section of the REST API document pages:
This allowance by PAT to take full-scope of specific allowance is beneficial for customers as it enables them to corresponding control plane policy. Microsoft has promised a full range of improvements to ensure the smooth run of their operations which will help customers secure a DevOps environment. If you have any questions regarding the new DevOps environment you can contact us any time.