Improved security with new personal access token format
We are excited to announce improvements to the format of personal access tokens (PATs), aimed at enhancing security and boosting secret detection capabilities!
Check out the release notes for details.
General
GitHub Advanced Security for Azure DevOps
Azure Pipelines
- AzureFileCopy, AzurePowerShell, and SqlAzureDacpacDeployment tasks use Az modules only
- Use Workload identity federation for container jobs, resources, and tasks
General
New authentication format for Azure DevOps personal access tokens available
We have made updates to the format of personal access tokens (PATs) issued by Azure DevOps. These changes provide additional security benefits and improve secret detection tooling available through our partner offerings, like GitHub Advanced Security for Azure DevOps. This change in PAT format follows the new format recommended across all Microsoft products. We anticipate that the inclusion of more identifiable bits will improve the false positive detection rate of these secret detection tools and enable us to better mitigate any detected leaks faster.
Notably, the length of our tokens increase from 52 characters to 84 characters, 52 of which will be randomized data. This improves overall entropy of the token generation, enabling us to be more resistant to potential brute forcing attacks.
You're advised to regenerate all PATs currently in use immediately to benefit from these changes. This can be done on the Personal access tokens page of your User Profile or by using the Personal Access Token lifecycle management APIs. Integrators are also recommended to support both this new token length and the current token length, while you adapt to this new format.
GitHub Advanced Security for Azure DevOps
Automated self-hosted agent install for code scanning bits in Advanced Security
To simplify using self-hosted agents for code scanning in Advanced Security, the latest CodeQL bits can now be automatically installed. The Advanced-Security-Codeql-Init task includes a new variable, enableAutomaticCodeQLInstall: true, for existing pipelines or a checkbox for new tasks. Previously, you had to manually install the CodeQL bundle in the agent tool directory.
Azure Pipelines
AzureFileCopy, AzurePowerShell, and SqlAzureDacpacDeployment tasks use Az modules only
The AzureFileCopy, AzurePowerShell, and SqlAzureDacpacDeployment tasks can no longer use AzureRM modules. As of February 2024, the AzureRM PowerShell module was deprecated and is no longer supported. While the AzureRM module may still function, it’s no longer maintained, placing any continued use at your discretion. Tasks that previously could use both AzureRmM or Az modules now only use Az modules. If you use tasks on self-hosted agents ensure the Az module is pre-installed on your images.
Use Workload identity federation for container jobs, resources, and tasks
Docker service connections targeting Azure Container Registry can now use Workload Identity Federation, eliminating the need for secrets. For an updated list of tasks supporting Workload Identity Federation, please refer to our documentation.
Next steps
Note
These features will roll out over the next two to three weeks.
Head over to Azure DevOps and take a look.
How to provide feedback
We would love to hear what you think about these features. Use the help menu to report a problem or provide a suggestion.
You can also get advice and your questions answered by the community on Stack Overflow.
Thanks,
Silviu Andrica