Use Personal Access Tokens with Azure Repos

Simon Maple
May 6, 2019 | in DevSecOps, Ecosystems
| By Simon Maple, Edward Thompson

The following is a best practice guideline from our series of 8 Azure Repos security best practices

DOWNLOAD THE CHEAT SHEET!

5. Use Personal Access Tokens with Azure Repos

Two-Factor Authentication (2FA) adds an additional level of security to your account by requiring not just a username and password, but also a unique code from an authenticator application or sent to you by SMS. This ensures that even if your password is compromised, an attacker can’t login to your account without also having your cell phone.

However, git only supports username and password and doesn’t have any idea of two-factor authentication. You can instead configure a Personal Access Token (PAT) for use with git and Git tools.

To make it easier to work with 2FA and Personal Access Tokens, you can install the Git Credential Manager for macOS and Linux or Windows. Using the Git Credential Manager lets you authenticate directly to your Git hosting provider, and will manage the generation and secure storage of your PAT so that you don’t have to.

You can create your own personal access token in the security settings of your account. This includes setting a time which the token will automatically expire. Note that as an administrator you can revoke PATs from users who perhaps leave the team. Once your PAT is configured, consider using the Git Credential Manager for macOS and Linux or Windows. You can store your PAT in the Git Credential Manager for additional security. For more information, check out the documentation.


Continue reading the list of 8 Azure Repos security best practices:

  1. Never store credentials as code/config in Azure Repos
  2. Remove sensitive data in your files and Azure Repos history
  3. Tightly control access
  4. Add a SECURITY.md file
  5. Use Personal Access Tokens
  6. Provide granular permissions and groups for users
  7. Add security testing to Pull Requests
  8. Rotate SSH keys and personal access tokens

If you haven’t done so yet, make sure you download this cheat sheet now and pin it up, so your future decisions are secure decisions!

8 Azure Repos Security Best Practices