Choosing an auth method
Compare PAT and Service Principal authentication for connecting ADO Pilot to your Azure DevOps organization.
Last updated
ADO Pilot supports two ways to authenticate against your Azure DevOps organization. PAT is the recommended default for most teams; Service Principal is available on Business plan and above. This page explains the trade-offs so you can pick the right one.
The two methods at a glance
- Personal access token (PAT) — fastest to set up, no extra cost, the recommended default.
- Service Principal — org-scoped identity with no personal token. Available on Business plan and above.
Decision matrix
| Method | Setup time | Security posture | Extra cost | Best for | Available? |
|---|---|---|---|---|---|
| Personal access token | About 5 minutes | Good if rotated every 90 days | None | Every team | Yes |
| Service Principal | About 15 minutes | Org-scoped, no personal credentials | One Azure DevOps Basic license per org | Enterprises with Conditional Access | Business plan+ |
Personal access token
PAT is what you use today. The Azure DevOps user who creates the token grants ADO Pilot the three scopes it needs (see Required PAT scopes) and pastes the token into the onboarding wizard.
What to know:
- Setup is contained to one person — no Entra ID admin involvement.
- The token expires on a fixed date (90 days is the recommended window).
- The token is bound to the user who created it. If that user leaves the organization or has their account disabled, ADO Pilot stops working until someone else issues a new PAT.
- Beyond the PAT's scopes, that user also needs the Project Administrator Azure DevOps role on the reviewed projects, or a project-scoped Service Hooks (Edit/View Subscriptions) permission grant per project instead — narrower in scope but CLI-only, since there's no org-wide equivalent (see the linked page) — an organization role, not something you select when creating the token. See Reviews never started: service-hook permission error.
- You are responsible for rotating it on schedule — see Rotating your PAT.
For step-by-step setup, see Creating a Personal Access Token.
Service Principal
Service Principal is the enterprise-grade option available on Business plan and above:
- Authenticates as an Entra ID application owned by your organization, not by any individual user.
- Survives personnel changes — no rebinding when someone leaves.
- Respects Conditional Access policies cleanly because access is brokered by your Entra ID directory via a federated identity credential — not a stored certificate, secret, or personal user token.
- Requires one Azure DevOps Basic license assigned to the service principal in your organization (currently about $6 per month, billed by Microsoft).
- Requires an Entra ID admin to consent to ADO Pilot's application registration.
Which should I pick?
If you are onboarding now, use PAT — it is the fastest path and sufficient for production reviews on every plan tier. If you need org-scoped credentials that survive personnel changes, choose Service Principal (available on Business plan and above). On a Business plan you can select it during onboarding, or switch later from the Integration settings page without losing review history, repository configuration, plans, or billing. See Setting up Service Principal auth for the consent + setup walkthrough.