Azure DevOps Authentication Changes: Global PAT and OAuth 1.0 Deprecation

Overview

Azure is deprecating two authentication capabilities that will impact both our Classic integration and Developer Platform for Azure DevOps.

What's Changing

1. Global PAT Deprecation (Affects Azure Repos Classic Integration)

Microsoft Azure is phasing out global Personal Access Tokens, which the Classic repo integration relies on for authentication.

Key Date:

• December 1st, 2026 – All existing global PATs will be fully decommissioned and stop working

2. OAuth 1.0 Deprecation (Affects Developer Platform for Azure DevOps)

Azure is migrating from OAuth 1.0 to OAuth 2.0 (Entra), which the Developer Platform currently uses for authentication.

Timeline:

• Date: TBD – Azure has only indicated "sometime in 2026"

Required Actions by Customer Type

Classic Integration Customers

Plan migration to Developer Platform before December 1st, 2026, when all global PATs will stop working. Take the following into account while planning the migration:

• Mend.io is actively researching the OAuth 2.0 migration impact

• Mend.io will provide detailed guidance once our analysis is complete

• Recommendation: Hold off migrating to the Developer Platform until Mend.io completes the OAuth 2.0 migration research, otherwise another migration might be required in 2026.

Developer Platform Customers

Current Status:

• No immediate action required

• Mend.io is actively researching the OAuth 2.0 migration impact

• Mend.io will provide detailed guidance once our analysis is complete

Notifications

Two channels will be utilized to notify Azure DevOps integration users about this breaking change:

1. Mend.io’s Customer Success Managers and Account Managers will contact affected Classic integration customers.

2. In-Product Notifications: Alerts will appear in checks, issues, and PRs directly in Azure DevOps.