(Tenant) Restrict Personal Access Token full scope.

Why This Matters

Personal Access Tokens (PATs) with full scope permissions pose a significant security risk because they grant broad, unrestricted access to your Azure DevOps organization. If such a token is compromised, an attacker can perform all operations on behalf of the user who created it, potentially leading to data exfiltration, code tampering, or service disruption. Restricting PATs to only the necessary scopes reduces this attack surface and enforces the principle of least privilege.

What Aether365 Checks

This check verifies that your Azure DevOps tenant does not allow Personal Access Tokens to be created with full scope (all accessible organizations). It appears in your Aether365 dashboard under the Microsoft 365 checks section.