Microsoft moves to tighten Azure DevOps security with granular access tokens

Microsoft is bringing a granular personal access token (PAT) to its Azure DevOps REST APIs to try to reduce the damage that can happen when credentials are leaked or stolen.

The move comes weeks after cyber security firm Praetorian outlined how its researchers were able to get into the internal corporate networks of companies using Microsoft-owned GitHub for their CI/CD tools. They compromised access to GitHub through an accidentally leaked PAT, and called GitHub's beta for fine-grained access tokens "a step in the right direction."

PATs are alternatives to passwords for authenticating the identity of someone accessing a system or website, as well as developers using APIs and scripts. In this case, they're used to authenticate into Azure DevOps.

A PAT embeds a host of information. For Azure DevOps, it includes a person's security credentials and identifies the user, the organizations they can access, and the scope of the access. As cyber criminals shift tactics from compromising systems to stealing credentials in order to access corporate networks, tokens become a rich target.

"They're as critical as passwords, so you should treat them the same way," Microsoft said last month.

According to Praetorian's report, there are multiple ways a developer could inadvertently disclose a PAT: phishing, a compromise of their personal laptop, or mistakenly including it in command line logs.

• OpenAI, Microsoft, GitHub hit with lawsuit over Copilot
• Dropbox admits 130 of its private GitHub repos were copied after phishing attack
• Purpleurchin cryptocurrency miners spotted scouring free GitHub, Heroku accounts
• Microsoft said to be in talks to invest more in OpenAI

To narrow the threat to its PATs, the Azure DevOps team recently created a granular PAT scope for all Azure DevOps REST APIs, Barry Wolfson, product manager for Azure DevOps, wrote in a blog post this week. OAuth2 scopes enable organizations to limit the access granted to a PAT.

"Previously, a number of Azure DevOps REST APIs were not associated with a PAT scope, which at times led customers to consume these APIs using full-scoped PATs," Wolfson writes.

"The broad permissions of a full-scoped PAT (all permissions of their corresponding user), in the hands of a malicious actor, represent a significant security risk to organizations, given the potential to access source code, production infrastructure, and other valuable assets."

He encouraged developers using a full-scoped PAT to migrate to one with specific scope to eliminate unnecessary access. At the same time, he suggested a control plane policy that puts restrictions on creating full-scoped APIs.

The Azure DevOps team's initiative comes less than a month after a similar move by GitHub, which in October introduced the public beta of fine-grained PATs.

Before then, PATs provided "very coarse-grained" permissions. They gave access to almost all of the repositories and organizations that the token's users had, with no control or visibility to the users' organization, according to a blog post by Hirsch Singhal, staff product manager at GitHub.

That's changed, Hirsch writes.

"Fine-grained personal access tokens give developers granular control over the permissions and repository access they grant to a PAT," he says. "Organization administrators are in control too, with approval policies and full visibility for tokens that access organization resources."

The fine-grained tokens get permissions from a set of more than 50 granular permissions that control access to GitHub's organization, user, and repository APIs. ®