Azure DevOps Services Losing Support for Alternate Credentials

Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

The change in support will start to get enacted as early as this month for new users, and Alternate Credentials won't work for current users by March. Only Azure DevOps Services users will be affected by this change since the use of Alternate Credentials already isn't supported on Azure DevOps Server.

Microsoft offers Alternate Credentials as part of the user authentication process to support organizations that connect with Azure DevOps Services using "legacy tools," but it's viewed as not the most secure approach. The main problem with it is that Alternate Credentials "never expire and can't be scoped to limit access to the Azure DevOps data," explained Corina Arama, a senior program manager for Azure DevOps, in the announcement.

Consequently, Alternate Credentials users will lose support in March, and prospective users won't have access to it starting on Dec. 9. Here's Microsoft's end-of-support timeline for Alternate Credentials:

  • Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don't have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
  • In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
  • March 2, 2020 -- Start gradually disabling Alternate Credentials for all Azure DevOps organizations.

It might not be apparent that Alternate Credentials are being used. Consequently, Microsoft plans to send notices to both end users and administrators in mid-December if Alternate Credentials are being used.

Microsoft recommends using Personal Access Tokens (PATs) instead of Alternate Credentials. It's possible to limit the user's scope with PATs, according to this document. PATs is a requirement when using some non-Microsoft tools to access Azure DevOps Services, the document explained:

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

IT pros can check the Azure DevOps Portal under "User Settings" to see if Alternate Credentials was configured. It's possible to turn off the Alternate Credentials policy to see its effects, but "turning the policy off is reversible until December 8, 2019," Microsoft warned.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

  • How To Use .CSV Files with PowerShell, Part 1

    When it comes to bulk administration, few things are handier than .CSV files. In this two-part series, Brien demos his top techniques for working with .CSV files in PowerShell. First up: How to create a .CSV file.

  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.