
ADO Pilot supports two ways to authenticate against your Azure DevOps organization. **PAT is the recommended default** for most teams; Service Principal is available on Business plan and above. This page explains the trade-offs so you can pick the right one.

## The two methods at a glance

- **Personal access token (PAT)** — fastest to set up, no extra cost, the recommended default.
- **Service Principal** — org-scoped identity with no personal token. Available on Business plan and above.

## Decision matrix

| Method                | Setup time       | Security posture                    | Extra cost                             | Best for                            | Available?     |
| --------------------- | ---------------- | ----------------------------------- | -------------------------------------- | ----------------------------------- | -------------- |
| Personal access token | About 5 minutes  | Good if rotated every 90 days       | None                                   | Every team                          | Yes            |
| Service Principal     | About 15 minutes | Org-scoped, no personal credentials | One Azure DevOps Basic license per org | Enterprises with Conditional Access | Business plan+ |

### Personal access token

PAT is what you use today. The Azure DevOps user who creates the token grants ADO Pilot the three scopes it needs (see [Required PAT scopes](./creating-a-pat.md#required-scopes)) and pastes the token into the onboarding wizard.

What to know:

- Setup is contained to one person — no Entra ID admin involvement.
- The token expires on a fixed date (90 days is the recommended window).
- The token is bound to the user who created it. If that user leaves the organization or has their account disabled, ADO Pilot stops working until someone else issues a new PAT.
- Beyond the PAT's scopes, that user also needs the **Project Administrator** Azure DevOps role on the reviewed projects, or a project-scoped Service Hooks (Edit/View Subscriptions) permission grant per project instead — narrower in scope but CLI-only, since there's no org-wide equivalent (see the linked page) — an organization role, not something you select when creating the token. See [Reviews never started: service-hook permission error](../troubleshooting/service-hook-permissions.md).
- You are responsible for rotating it on schedule — see [Rotating your PAT](./rotating-your-pat.md).

For step-by-step setup, see [Creating a Personal Access Token](./creating-a-pat.md).

### Service Principal

Service Principal is the enterprise-grade option available on Business plan and above:

- Authenticates as an Entra ID application owned by your organization, not by any individual user.
- Survives personnel changes — no rebinding when someone leaves.
- Respects Conditional Access policies cleanly because access is brokered by your Entra ID directory via a federated identity credential — not a stored certificate, secret, or personal user token.
- Requires one Azure DevOps **Basic** license assigned to the service principal in your organization (currently about $6 per month, billed by Microsoft).
- Requires an Entra ID admin to consent to ADO Pilot's application registration.

## Which should I pick?

If you are onboarding now, use **PAT** — it is the fastest path and sufficient for production reviews on every plan tier. If you need org-scoped credentials that survive personnel changes, choose **Service Principal** (available on Business plan and above). On a Business plan you can select it during onboarding, or switch later from the **Integration** settings page without losing review history, repository configuration, plans, or billing. See [Setting up Service Principal auth](./service-principal-setup.md) for the consent + setup walkthrough.


