How do you revoke someone else's PAT?

Question

If I am the Project Collection Administrator in dev.azure.com for a particular organization, then how do I revoke someone else's Personal Access Token?

Answer 1

how do I revoke someone else's Personal Access Token?

This is acutually provided in MSDN documentation Revoke personal access tokens for organization users.

If you are the PCA of your organization, please follow the doc Revoke PATs to revoke PATs for your organization users.

Use the Token Revocations or the PowerShell script provided to call the REST API.

Answer 2

I have managed to do it by following these steps using Postman:

1. First we need to get the subject descriptor, which is the user’s SID in Azure AD:

   GET https://vssps.dev.azure.com/{organization}/_apis/graph/users?api-version=5.1-preview.1

2. Now we need to list of the PATs for that user. (Lists of all the session token details of the personal access tokens (PATs) for a particular user:

   GET https://vssps.dev.azure.com/{organization}/_apis/tokenadmin/personalaccesstokens/{subjectDescriptor}?api-version=5.0-preview.1

We got the {subjectDescriptor} in the "description" field in step one and this is the SID of the Azure AD user.

3. Now we finally revoke that PAT for the particular user: (Revokes the listed OAuth authorizations.

   POST https://vssps.dev.azure.com/{organization}/_apis/tokenadmin/revocations?api-version=5.0-preview.1

The "authorizationId" that we got in the results from step 2 need to be input the POST request as a JSON object. It is an array below, so that it supports multiple revocations.

[
 {
   "authorizationId":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 }
]