Azure DevOps Authentication Changes: Global PAT and OAuth 1.0 Deprecation

Overview

Azure is deprecating two authentication capabilities that will impact both our Classic integration and Developer Platform for Azure DevOps.

Microsoft Azure is phasing out global Personal Access Tokens, which the Classic repo integration relies on for authentication.

Key Dates:

March 15th, 2026 – Creation and regeneration of global PATs will be blocked
December 1st, 2026 – All existing global PATs will be fully decommissioned and stop working

Azure is migrating from OAuth 1.0 to OAuth 2.0 (Entra), which the Developer Platform currently uses for authentication.

Timeline:

Immediate Action Required (Before March 15th, 2026):

Create new global PATs with the longest possible expiration date (ideally December 2026 or later).
Update your integration with these new tokens before March 15th, 2026.
- After this date, creating or regenerating global PATs will no longer be possible.
- Failing to update will break the Classic integration with no recovery option and no way to reinstall the integration.

Migration Required (Before December 1st, 2026):

Plan migration to Developer Platform before December 1st, 2026, when all global PATs will stop working. Take the following into account while planning the migration:
- Mend.io is actively researching the OAuth 2.0 migration impact
- Mend.io will provide detailed guidance once our analysis is complete
- Recommendation: Hold off migrating to the Developer Platform until Mend.io completes the OAuth 2.0 migration research, otherwise another migration might be required in 2026.

Current Status:

Two channels will be utilized to notify Azure DevOps integration users about this breaking change:

Mend.io’s Customer Success Managers and Account Managers will contact affected Classic integration customers.
In-Product Notifications: Alerts will appear in checks, issues, and PRs directly in Azure DevOps.