Merged main into live

Author: mijacobs

docs/includes/qa-choose-msa-azuread-account.md

@@ -1,4 +1,4 @@
-### Why do I have to choose between a "work or school account" and my "personal account"?
+### Q: Why do I have to choose between a "work or school account" and my "personal account"?
 
-You have to choose between a "work or school account" and your "personal account" when you sign in with an email address (for example, [email protected]) shared by both accounts. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions.
+A: You have to choose between a "work or school account" and your "personal account" when you sign in with an email address (for example, [email protected]) shared by both accounts. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions.
 

docs/includes/qa-why-cant-sign-in-msa-azuread-account.md

@@ -1,6 +1,6 @@
-### Why can't I sign in after I select "personal Microsoft account" or "work or school account"?
+### Q: Why can't I sign in after I select "personal Microsoft account" or "work or school account"?
 
-If your sign-in address is shared by both your personal Microsoft account and your work or school account, but the selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions.
+A: If your sign-in address is shared by both your personal Microsoft account and your work or school account, but the selected identity doesn't have access, you can't sign in. Although both identities use the same sign-in address, they're separate and have different profiles, security settings, and permissions.
 Sign out completely from Azure DevOps by completing the following steps. Closing your browser might not sign you out completely. Sign in again and select your other identity:
 
 1. Close all browsers, including browsers that aren't running Azure DevOps.

docs/organizations/accounts/faq-user-and-permissions-management.yml

@@ -9,7 +9,7 @@ metadata:
   ms.topic: faq
   ms.author: chcomley
   author: chcomley
-  ms.date: 06/16/2025
+  ms.date: 06/27/2025
   monikerRange: '<= azure-devops'
 title: User and permissions management FAQs
 summary: |
@@ -51,7 +51,8 @@ sections:
         answer: |
           A: They might need a different [access level](../security/access-levels.md#supported-access-levels) assigned, in addition to permissions granted through security groups. For example, [Stakeholder access](../security/stakeholder-access.md) access level provides partial support to select features, allowing users to view and modify work items, but not to use all features.
 
-      - question: I accidentally removed my permissions and am unable to grant them again. What should I do?
+      - question: |
+          Q: I accidentally removed my permissions and am unable to grant them again. What should I do?
         answer: |
           A: The only way to resolve this scenario is to [Request an increase in permission levels](../security/request-changes-permissions.md).
 
@@ -108,29 +109,38 @@ sections:
           ![Screenshot shows GitHub Enterprise listed as user's access level in Organization settings, Users page.](media/faq/github-enterprise.png)
 
       - question: |
-          Q: Are users using GitHub Enterprise Server detected as having GitHub Enterprise?
+          Q: How are GitHub Enterprise users detected?
         answer: |
-          A: No, only GitHub Enterprise cloud users are detected in Azure DevOps. Customers using GitHub Server can [sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud](https://docs.github.com/[email protected]/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud).
+          A: Azure DevOps automatically checks if a user has GitHub Enterprise when the user signs in. It can take up to 24 hours for their access level to change to GitHub Enterprise. There are no charges for a user with the GitHub Enterprise access level.
 
       - question: |
           Q: What kind of access do GitHub Enterprise users get in Azure DevOps?
         answer: |
           A: Basic access, which includes all features except Test Plans. For more information, see [Pricing for Azure DevOps](https://azure.microsoft.com/pricing/details/devops/azure-devops-services/)
 
       - question: |
-          Q: How are GitHub Enterprise users detected?
+          Q: What if a GitHub Enterprise user needs access to Test Plans?
         answer: |
-          A: Azure DevOps automatically checks if a user has GitHub Enterprise when the user signs in. It can take up to 24 hours for their access level to change to GitHub Enterprise. There are no charges for a user with the GitHub Enterprise access level.
+          A: GitHub Enterprise users who need access to Test Plans can be assigned the Basic + Test Plans access level. 
 
       - question: |
-          Q: What access level should I select if a user has a GitHub Enterprise license?
+          Q: What happens when a GitHub Enterprise license is no longer detected?
         answer: |
-          A: If you know a user has a GitHub Enterprise license, the best option to choose is Stakeholder, to avoid any charges for Basic before the user signs in for the first time
+          A: When a user no longer has GitHub Enterprise, they're treated like a new user.  
+          - Your organization's default access level, whether Basic or Basic + Test Plans, gets assigned automatically. 
+          - If your organization established Group Rules, the user receives the access specified for their Microsoft Entra group. Group rule reevaluation occurs every 24 hours, so they might initially have Stakeholder access before receiving group rule access. 
+          
+          Otherwise, users who no longer have access through GitHub Enterprise maintain Stakeholder access until an administrator assigns them paid access. 
+      
+      - question: |
+          Q: Are users using GitHub Enterprise Server detected as having GitHub Enterprise?
+        answer: |
+          A: No, only GitHub Enterprise cloud users are detected in Azure DevOps. Customers using GitHub Server can [sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud](https://docs.github.com/[email protected]/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud).
 
       - question: |
-          Q: What if a GitHub Enterprise user needs access to Test Plans?
+          Q: What access level should I select if a user has a GitHub Enterprise license?
         answer: |
-          A: GitHub Enterprise users who need access to Test Plans can be assigned the Basic + Test Plans access level. 
+          A: If you know a user has a GitHub Enterprise license, the best option to choose is Stakeholder, to avoid any charges for Basic before the user signs in for the first time
 
       - question: |
           Q: What if a GitHub Enterprise user also has a Visual Studio subscription?
@@ -382,7 +392,7 @@ sections:
       - question: |
           Q: Why don't users appear or disappear promptly in Azure DevOps after I add or delete them in the Users hub?
         answer: |
-          A: If you experience delays finding new users or gettings deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, [file a problem report on Developer Community](https://go.microsoft.com/fwlink/?LinkId=820594) so we can investigate.
+          A: If you experience delays finding new users or getting deleted users promptly removed from Azure DevOps (for example, in drop-down lists and groups) after you add or delete users, [file a problem report on Developer Community](https://go.microsoft.com/fwlink/?LinkId=820594) so we can investigate.
           
           <a name="ChooseOrgAcctMSAcct"></a>
           

docs/organizations/accounts/use-personal-access-tokens-to-authenticate.md

@@ -9,7 +9,7 @@ ms.assetid: d980d58e-4240-47c7-977c-baaa7028a1d8
 ms.topic: how-to
 ms.author: chcomley
 author: chcomley
-ms.date: 06/12/2025
+ms.date: 06/27/2025
 monikerRange: '<= azure-devops'
 ---
 
@@ -148,9 +148,14 @@ Do the following steps to:
 
 You can revoke a PAT at any time for these and other reasons:
 
-- Revoke a PAT if you suspect it is compromised.
-- Revoke a PAT when it is no longer needed.
-- Revoke a PAT to enforce security policies or compliance requirements.
+- **Security breach**: Revoke a PAT immediately if you suspect it is compromised, leaked, or exposed in logs or public repositories.
+- **No longer needed**: Revoke a PAT when the project, service, or integration it was created for is complete or discontinued.
+- **Policy compliance**: Revoke a PAT to enforce security policies, compliance requirements, or organizational token rotation schedules.
+- **User changes**: Revoke a PAT when a team member leaves the organization or changes roles and no longer needs access.
+- **Scope reduction**: Revoke and recreate a PAT with reduced permissions when you need to limit its access capabilities.
+- **Regular maintenance**: Revoke a PAT as part of routine security hygiene and token lifecycle management.
+
+Do the following steps to revoke a PAT:
 
 1. From your home page, open user settings :::image type="icon" source="../../media/icons/user-settings-gear.png" border="false"::: and select **Personal access tokens**.
 
@@ -255,19 +260,22 @@ A: All PATs are associated with the user identity that created it. Applications
 In Azure DevOps, you can generate access tokens that aren't linked to a specific user by using Microsoft Entra tokens issued by an [application service principal or managed identity](../../integrate/get-started/authentication/service-principal-managed-identity.md). For pipelines, use [service connections](../../pipelines/library/service-endpoints.md) to securely authenticate and authorize automated tasks without relying on user-specific credentials.
 
 ### Q: How can I regenerate/rotate PATs through the API? I saw that option in the UI, but I don’t see a similar method in the API.
-The 'Regenerate' functionality available in the UI actually accomplishes a few actions, which can be replicated through API. 
+A: The 'Regenerate' functionality available in the UI actually accomplishes a few actions, which can be replicated through API. 
 
 To rotate your PAT, do the following steps:
 1. See PAT metadata with a **GET** call, 
 2. Create a new PAT with the old PAT ID using a **POST** call, 
 3. Revoke the old PAT using a **DELETE** call.
 
+### Q: How long do expired, revoked, or inactive PATs remain visible in the Azure DevOps token list?
+
+A: PATs that are expired or revoked can no longer be used or regenerated. These inactive tokens stay visible for several months after expiration or revocation before being automatically removed from the display.
+
 ### Q: I see a "Need admin approval" pop-up when I try to use a Microsoft Entra app to call the PAT Lifecycle Management APIs.
-Your tenant's security policies require admin consent before applications can access organization resources in the organization. Reach out to your tenant administrator.
+A: Your tenant's security policies require admin consent before applications can access organization resources in the organization. Reach out to your tenant administrator.
 
 ### Q: Can I use a service principal to create or manage PATs?
-No, personal access tokens belong to a user identity. Microsoft Entra [service principals or managed identities](../../integrate/get-started/authentication/service-principal-managed-identity.md) are able to generate short-lived Microsoft Entra tokens that can be used in most places where a PAT is accepted. Learn more about [our efforts to reduce PAT usage across Azure DevOps](https://devblogs.microsoft.com/devops/reducing-pat-usage-across-azure-devops/) and explore replacing PATs with Microsoft Entra tokens.
-
+A: No, PATs belong to a user identity. Microsoft Entra [service principals or managed identities](../../integrate/get-started/authentication/service-principal-managed-identity.md) can generate short-lived Microsoft Entra tokens that you can use in most places where a PAT is accepted. Learn more about [our efforts to reduce PAT usage across Azure DevOps](https://devblogs.microsoft.com/devops/reducing-pat-usage-across-azure-devops/) and explore replacing PATs with Microsoft Entra tokens.
 
 ## Related articles