Managing Azure DevOps Pats for technical users via NodeJs and PostMan

4 min readMay 6, 2021


Update in 2023

There is a newer way to connect to Azure DevOps. You should check my current article here — how to connect via an ServicePrincipal.

Getting Azure DevOps tokens via an ServicePrincipal | by Bjego | Apr, 2023 | Medium

And now back to the existing post:

What should be archived?

We are looking to use the new APIs announced here to manage PATs from technical users to e.g. rotate the PATs from our selfhosted Agents in Kubernetes, or to connect 3rd party software like SonarQube.

Which API can I use?

In Q1 2021 Microsoft released the token API which is capable to manage PATs for users:

Which flow do I have to use

To manage tokens of your technical users in an non interactive way, you can use the username/password flow. This flow works with no interaction.

You can also have a look at the flask app provided by the Azure DevOps team to manage PATs in an interactive way. See the MS tutorial.

What do I have to prepare?

  • As listed in the docs from the interactive flow. First create an application in your Azure AD. See it here. And give it the grant:

Now you need to note down:

  • Application (client) ID as client_id
  • Directory (tenant) ID as tenant
  • The client secret as client_secret

Create an “technical user” in Azure AD and allow it to login with Username and Password flow. See the docs here. If you are an administrator of your Azure tenant you need to allow Username and Password authentication for this user. So in our organisation only a few people are allowed to manage this content. So I can’t give you more insights here, except of this doucmentation.

Here you have to note the following:

  • User Principal Name (E-Mail) as username
  • Password as password

Add you technical user to Azure DevOps and put it into the required groups where you need a PAT for automation for. How to add a user to Azure DevOps. I’ve used the interactive login for this user a couple of times, so I’m not sure if you need to login at least once. I did it :)

Let’s get started with Postman

Get an AAD Token for your technical user

So here are the official docs, you can easily run them in your local postman You have to configure it like this and Azure AD awnsers with an access_token.

POST - BODY - x-www-form-urlencoded 

Using the API from Azure DevOps

I’ll demonstrate the list call, as documented here. You have to configure postman like this:

GET - 
Authorisation - Bearer Token - The access_token from the response earlier

PAT scopes are not mentioned in the API docs

All the pat scopes are listed here Azure DevOps Scope List. I’ve used an excel sheet to create all the scopes in an enum with the substitute function, used in the typescript code.

Now moving over to TypeScript / NodeJS

How to configure your environment for NodeJs.

This code is configured entirely by environment variables, as it is supposed to run in automated kubernetes cron jobs in production.

Environment Variables

Corporate proxy and node-fetch

Loading the configuration

We will use a configuration class here. It’s loading the required information from the environment

Getting the Azure AD token

Bringing it all together in an Azure DevopsClient

Responses and Request objects

Those have been created from the docs — here The scopes aren’t documented in that place, you can find them in this documentation

Let’s use node to manage our tokens


Great isn’t it? We will use this api to manage our required pats now via cron jobs in our kubernetes environment.

You can leave me comments and claps, if you like this article, or if you have suggestions how to improve the tool.

Visit the github repo here:

Originally published at