(Tenant) Restrict creation of global Personal Access Tokens.

Why This Matters

Personal Access Tokens (PATs) provide broad access to Azure DevOps resources. When users create global PATs, they can access data across all organizations in the tenant, increasing the attack surface. An admin should care because a compromised global PAT can expose sensitive code, pipelines, and infrastructure across the entire enterprise.

What Aether365 Checks

Aether365 verifies whether the Azure DevOps tenant policy restricts the creation of global Personal Access Tokens. This check appears in the Aether365 dashboard under the microsoft-365 services category and reports if the policy is not enabled.