Obtain Azure DevOps Personal Access Token programmatically

A colleague approached me with a question about automating the creation of Personal Access Token (PAT) for Azure DevOps. As usual, I tried taking the easy route of doing a quick search online, however all I could find were some convoluted/incomplete examples, and lots and lots of misunderstandingс. Which comes as a surprise, as the task is actually quite simple, once you figure out what it entails. So here’s how you can obtain PAT via few simple API calls (all done via PowerShell).

First, you need to have an Azure AD application, and have the user_impersonation scope for Azure DevOps added to it. In other words, go to the Azure AD blade, create a new app registration or use an existing one. Go to API permissions > Add a permission > select Azure DevOps > select user_impersonation under Delegate permissions > confirm. Not much you can do wrong here, as this is the only permissions you can select for said API anyway. Depending on which users you plan to generate PATs for, you might as well consider granting consent for the entire directory, but that’s optional.

Once permissions have been added/consent granted, you need to obtain an access token. Use the exact same methods you’d use for any other Azure AD integrated application. The scope is the only thing you need to modify, and for it, use the value of “499b84ac-1321-427f-aa17-267ca6975798/.default“. This basically translates to “all scopes for Azure AD DevOps API”. Then, request the token.

Once you have a valid token, you can issue queries against the Azure AD DevOps API, which is again very similar to what you are used to with other Azure AD integrated apps and the Graph API. For example, the query below will return all currently configured PAT tokens for the user:

The one thing that you need to modify in the above request is the organization name. If you don’t want to hardcode it, here’s how to obtain a list of ADO orgs for the current user. First, run a GET request against the /profile/profiles/me endpoint to get the GUID of the user, then pass it in a GET request against the /accounts endpoint and fetch the AccountName value(s) out of the reply:

Of course, you can have multiple organizations, so handle things as necessary. Or just hardcode it.

Anyway, enough off topic. Here’s how to generate a new PAT for the current user. In a nutshell, you need to run a POST request against the /tokens/pats endpoint and provide a JSON payload with few properties. Those include the displayName, validity (validTo), permissions (scope) and whether the PAT should be valid for the current org, or all orgs the user has access to (allOrgs). Do make sure to use appropriate values here, especially for the scope parameter, copy/paste the below example at your own peril

Of course, make sure to capture the PAT string, as it won’t be shown anywhere else. For the sake of completeness, here’s how to get the details on specific PAT:

Do note that the token value will be empty, so again, make sure to capture it upon creation. For more details on working with PATs, refer to the official documentation.