Can personal access tokens in Azure DevOps be "shared" tokens that can be managed by a group of users, such as a security admin group? By managed I mean: create, revoke, edit, regenerate.
I want to avoid a situation where we have "build" or "deploy" agents that can only be maintained by one user, or suddenly stop working if that user leaves the org.
Is there an alternate authentication mechanism to PAT that works better in this situation?
According to How do I properly renew my PATs so that my deployment groups do not stop working due to expiration of the PAT?, the PAT tokens aren't used for ongoing communication.
I verified this by revoking the person access tokens I used to deploy my agents, but they still work.
According to the documentation, PAT token used to register build agents are only used for the registration phase.
As a one-time step, you must register the agent. Someone with permission to administer the agent queue must complete these steps. The agent will not use this person's credentials in everyday operation, but they're required to complete registration. Learn more about how agents communicate.
Your agents won't be disrupted if the user who registered them leave the company.
