Azure DevOps Authentication Changes: Global PAT and OAuth 1.0 Deprecation
Overview
Azure is deprecating two authentication capabilities that will impact both our Classic integration and Developer Platform for Azure DevOps.
What's Changing
1. Global PAT Deprecation (Affects Azure Repos Classic Integration)
Microsoft Azure is phasing out global Personal Access Tokens, which the Classic repo integration relies on for authentication.
Key Dates:
March 15th, 2026 – Creation and regeneration of global PATs will be blocked
December 1st, 2026 – All existing global PATs will be fully decommissioned and stop working
2. OAuth 1.0 Deprecation (Affects Developer Platform for Azure DevOps)
Azure is migrating from OAuth 1.0 to OAuth 2.0 (Entra), which the Developer Platform currently uses for authentication.
Timeline:
Date: TBD – Azure has only indicated "sometime in 2026"
Required Actions by Customer Type
Classic Integration Customers
Immediate Action Required (Before March 15th, 2026):
Create new global PATs with the longest possible expiration date (ideally December 2026 or later).
Update your integration with these new tokens before March 15th, 2026.
After this date, creating or regenerating global PATs will no longer be possible.
Failing to update will break the Classic integration with no recovery option and no way to reinstall the integration.
Migration Required (Before December 1st, 2026):
Plan migration to Developer Platform before December 1st, 2026, when all global PATs will stop working. Take the following into account while planning the migration:
Mend.io is actively researching the OAuth 2.0 migration impact
Mend.io will provide detailed guidance once our analysis is complete
Recommendation: Hold off migrating to the Developer Platform until Mend.io completes the OAuth 2.0 migration research, otherwise another migration might be required in 2026.
Developer Platform Customers
Current Status:
No immediate action required
Mend.io is actively researching the OAuth 2.0 migration impact
Mend.io will provide detailed guidance once our analysis is complete
Notifications
Two channels will be utilized to notify Azure DevOps integration users about this breaking change:
Mend.io’s Customer Success Managers and Account Managers will contact affected Classic integration customers.
In-Product Notifications: Alerts will appear in checks, issues, and PRs directly in Azure DevOps.