ADO Auditor - Get valuable insights to your Azure DevOps setup.

Documentation

PAT Generation

What is a PAT?

PAT stands for Personal Access Token and is your key to the Azure DevOps APIs.

Why do I need it?

As we use official Azure DevOps APIs to feed our rule engine with data, we need the PAT to be able to access the organizations data on your behalf.

How do I get a PAT?

Just follow these easy steps and you will get a PAT that can be used for your free audit in a couple of seconds.

Sign In to Azure DevOps

Go to: https://dev.azure.com/ and sign in with your organization-connected Microsoft account.
Be sure to select the correct Azure DevOps organization your want to audit if prompted.

Open the "User settings"

1. In the top-right corner, click on "User settings" just next to your profile picture.

2. Select "Personal access tokens" from the dropdown.

Shows how to start creating a PAT in Azure DevOps

Create a New Personal Access Token (PAT)

3. On the Personal access tokens tab, click "New Token".

Shows how to create a new PAT

Configure the PAT Details

4. Configure the PAT details as needed:
Name: Give your token a meaningful name, e.g., "PAT for ADO Auditor".
Organization: Select your target organization (the organization you want to audit).
Expiration: Choose an appropriate lifespan. We recommend to keep it as short as possible, e.g., just for the time of the audit.

5. Choose to configure the PAT scopes:
Scopes: Select "Custom defined".

6. Click on "Show all scopes"

Shows how to customize PAT details

Set Custom Scopes

7. Choose the required scopes to audit your organization
You will need to set several scopes as shown in the table below:

ScopeAccessEndpoints
GraphRead
Users - ListGroups - ListMemberships - Get
Member Entitlement ManagementRead
User Entitlements - Get
Project and TeamRead
Projects - List
User ProfileRead
Projects - List
Token AdministrationRead & Manage
Personal Access Tokens - List

An example to set the "Graph" scope with "Read" access:

Shows how to set the Graph:Read PAT scope

Note that we keep the scopes required to audit your organization at a minimum.
Each scope we request is mandatory and the audit will fail when the PAT is missing these scopes.

Create the PAT

Review your selected scopes. Make sure that you provide at minimum the exact scopes we listed above.
Additional scopes won't affect the audit but it's best practice to provide only the strict necessary scopes.

8. Once done, click "Create".

Shows how to finally create the configured PAT

Copy the PAT

9. Copy the token shown immediately after creation.

You won't be able to see it again. If you miss copying the PAT, you need to create a new PAT. Be sure to delete the old PAT in this case.

Store the PAT securely (e.g., in a password manager or secret vault).

Shows how to copy the created PAT

Notes

PATs are used for authenticating via scripts, REST APIs, and tools that don't support Azure AD authentication.
Always follow least privilege principles and set expiration dates thoughtfully.

You can revoke or regenerate tokens at any time from the same security settings page.
We've created a step-by-step guide to assist you with this: Revoke a PAT.