Open in app

Sign in

Write

Sign in

How to: Personal Access Tokens Expiration Mapping

Vinicius Moura
2 min readSep 29, 2021

This script and report list all Personal Access Tokens of all users on the Azure DevOps organization to visualize next expirations

An original script is available on my GitHub repository. See below this script:

Let’s go understand each command used.

  1. PowerShell script will receive the following parameters:
  • $PAT = Personal Access token to connect on Azure DevOps;
  • $Organization = Organization URL to list all Personal Access Tokens of all users on the Azure DevOps organization;
  • $Connstr = connection string to Azure SQL Database that stores the report information. To create this report, it’s necessary to create previously a Azure SQL Server and Database and run a script below:

2. Users List = uses this REST API to list all users on the Azure DevOps organization

$AzureDevOpsAuthenicationHeader = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$($PAT)")) }$UriUsers = "https://vssps.dev.azure.com/$($Organization)/_apis/graph/users?api-version=6.1-preview.1"$UsersResult = Invoke-RestMethod -Uri $UriUsers -Method get -Headers $AzureDevOpsAuthenicationHeader Foreach ($user in $UsersResult.value)
{
    Write-Host $user.displayName
}

3. Personal Access Tokens List = Uses this REST API to List all the session token details of the Personal Access tokens (PATs) for a particular user.

$UriUserPAT = "https://vssps.dev.azure.com/$($Organization)/_apis/tokenadmin/personalaccesstokens/$($user.descriptor)?api-version=6.1-preview.1"    $UserPATResult = Invoke-RestMethod -Uri $UriUserPAT -Method get -Headers $AzureDevOpsAuthenicationHeader    Foreach ($up in $UserPATResult.value)    
{
    Write-Host $up.displayName
}

4. After extracting all users and respective Personal Access Tokens, this information is stored in a table in Azure SQL.

5. After insert information into a table, I connected this database on Power BI:

  • User Name (1) = Filter report using User Name field;
  • Personal Access Tokens Informations (2) = List all information about Personal Access Tokens (User Name, User Email, Token Name, Creation Token Date, Expiration Date, and Token Scope);
  • Expiration Tokens by Month Year = uses this Pie chart to filter the next tokens that will expire.
Azure Devops
Personal Access Tokens

--

--

Vinicius Moura

Written by Vinicius Moura

368 Followers

Tech Solution Architect Manager na Accenture

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams