Azure DevOps Services Losing Support for Alternate Credentials

Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

The change in support will start to get enacted as early as this month for new users, and Alternate Credentials won't work for current users by March. Only Azure DevOps Services users will be affected by this change since the use of Alternate Credentials already isn't supported on Azure DevOps Server.

Microsoft offers Alternate Credentials as part of the user authentication process to support organizations that connect with Azure DevOps Services using "legacy tools," but it's viewed as not the most secure approach. The main problem with it is that Alternate Credentials "never expire and can't be scoped to limit access to the Azure DevOps data," explained Corina Arama, a senior program manager for Azure DevOps, in the announcement.

Consequently, Alternate Credentials users will lose support in March, and prospective users won't have access to it starting on Dec. 9. Here's Microsoft's end-of-support timeline for Alternate Credentials:

  • Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don't have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
  • In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
  • March 2, 2020 -- Start gradually disabling Alternate Credentials for all Azure DevOps organizations.

It might not be apparent that Alternate Credentials are being used. Consequently, Microsoft plans to send notices to both end users and administrators in mid-December if Alternate Credentials are being used.

Microsoft recommends using Personal Access Tokens (PATs) instead of Alternate Credentials. It's possible to limit the user's scope with PATs, according to this document. PATs is a requirement when using some non-Microsoft tools to access Azure DevOps Services, the document explained:

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

IT pros can check the Azure DevOps Portal under "User Settings" to see if Alternate Credentials was configured. It's possible to turn off the Alternate Credentials policy to see its effects, but "turning the policy off is reversible until December 8, 2019," Microsoft warned.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

  • Datacenters in Space: OrbitsEdge Partners with HPE

    A Florida-based startup is partnering with Hewlett Packard Enterprise in a deal that gives new meaning to the "edge" in edge computing.

  • Windows 10 Hyper-V vs. Windows Server Hyper-V: Which Platform for Which Workloads?

    The differences between these two Hyper-V versions are pretty significant, depending on what you plan to use them for. Here's a quick rundown of each platform, from their features to licensing quirks to intended use cases.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.