Azure DevOps Services Losing Support for Alternate Credentials

Microsoft gave notice last week that it's going to drop Alternate Credentials support for authenticating users of its Azure DevOps Services.

The change in support will start to get enacted as early as this month for new users, and Alternate Credentials won't work for current users by March. Only Azure DevOps Services users will be affected by this change since the use of Alternate Credentials already isn't supported on Azure DevOps Server.

Microsoft offers Alternate Credentials as part of the user authentication process to support organizations that connect with Azure DevOps Services using "legacy tools," but it's viewed as not the most secure approach. The main problem with it is that Alternate Credentials "never expire and can't be scoped to limit access to the Azure DevOps data," explained Corina Arama, a senior program manager for Azure DevOps, in the announcement.

Consequently, Alternate Credentials users will lose support in March, and prospective users won't have access to it starting on Dec. 9. Here's Microsoft's end-of-support timeline for Alternate Credentials:

  • Beginning December 9, 2019 we will disable and hide Alternate Credentials settings for organizations that don't have Alternate Credentials set. This change will be in effect for all these organizations by December 20, 2019.
  • In the coming months we will work with our customers that are still using the feature, to help them switch to another, more secure authentication method.
  • March 2, 2020 -- Start gradually disabling Alternate Credentials for all Azure DevOps organizations.

It might not be apparent that Alternate Credentials are being used. Consequently, Microsoft plans to send notices to both end users and administrators in mid-December if Alternate Credentials are being used.

Microsoft recommends using Personal Access Tokens (PATs) instead of Alternate Credentials. It's possible to limit the user's scope with PATs, according to this document. PATs is a requirement when using some non-Microsoft tools to access Azure DevOps Services, the document explained:

For non-Microsoft tools that integrate into Azure DevOps but don't support Microsoft account or Azure AD authentication, you must use PATs. Examples include Git, NuGet, or Xcode. To set up PATs for non-Microsoft tools, use Git credential managers or create them manually.

IT pros can check the Azure DevOps Portal under "User Settings" to see if Alternate Credentials was configured. It's possible to turn off the Alternate Credentials policy to see its effects, but "turning the policy off is reversible until December 8, 2019," Microsoft warned.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.