Add FAQs and reorganized for Enterprise

chcomley · chcomley · commit cca7614f1998 · 2025-06-27T13:25:35.000-07:00
diff --git a/docs/organizations/accounts/faq-user-and-permissions-management.yml b/docs/organizations/accounts/faq-user-and-permissions-management.yml
@@ -9,7 +9,7 @@ metadata:
   ms.topic: faq
   ms.author: chcomley
   author: chcomley
-  ms.date: 06/16/2025
+  ms.date: 06/27/2025
   monikerRange: '<= azure-devops'
 title: User and permissions management FAQs
 summary: |
@@ -108,29 +108,38 @@ sections:
           ![Screenshot shows GitHub Enterprise listed as user's access level in Organization settings, Users page.](media/faq/github-enterprise.png)
 
       - question: |
-          Q: Are users using GitHub Enterprise Server detected as having GitHub Enterprise?
+          Q: How are GitHub Enterprise users detected?
         answer: |
-          A: No, only GitHub Enterprise cloud users are detected in Azure DevOps. Customers using GitHub Server can [sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud](https://docs.github.com/enterprise-server@3.15/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud).
+          A: Azure DevOps automatically checks if a user has GitHub Enterprise when the user signs in. It can take up to 24 hours for their access level to change to GitHub Enterprise. There are no charges for a user with the GitHub Enterprise access level.
 
       - question: |
           Q: What kind of access do GitHub Enterprise users get in Azure DevOps?
         answer: |
           A: Basic access, which includes all features except Test Plans. For more information, see [Pricing for Azure DevOps](https://azure.microsoft.com/pricing/details/devops/azure-devops-services/)
 
       - question: |
-          Q: How are GitHub Enterprise users detected?
+          Q: What if a GitHub Enterprise user needs access to Test Plans?
         answer: |
-          A: Azure DevOps automatically checks if a user has GitHub Enterprise when the user signs in. It can take up to 24 hours for their access level to change to GitHub Enterprise. There are no charges for a user with the GitHub Enterprise access level.
+          A: GitHub Enterprise users who need access to Test Plans can be assigned the Basic + Test Plans access level. 
 
       - question: |
-          Q: What access level should I select if a user has a GitHub Enterprise license?
+          Q: What happens when a GitHub Enterprise license is no longer detected?
         answer: |
-          A: If you know a user has a GitHub Enterprise license, the best option to choose is Stakeholder, to avoid any charges for Basic before the user signs in for the first time
+          A: When a user no longer has GitHub Enterprise, they're treated like a new user.  
+          - Your organization's default access level, whether Basic or Basic + Test Plans, gets assigned automatically. 
+          - If your organization established Group Rules, the user receives the access specified for their Microsoft Entra group. Group rule reevaluation occurs every 24 hours, so they might initially have Stakeholder access before receiving group rule access. 
+          
+          Otherwise, users who no longer have access through GitHub Enterprise maintain Stakeholder access until an administrator assigns them paid access. 
+      
+      - question: |
+          Q: Are users using GitHub Enterprise Server detected as having GitHub Enterprise?
+        answer: |
+          A: No, only GitHub Enterprise cloud users are detected in Azure DevOps. Customers using GitHub Server can [sync license usage between GitHub Enterprise Server and GitHub Enterprise Cloud](https://docs.github.com/enterprise-server@3.15/billing/managing-your-license-for-github-enterprise/syncing-license-usage-between-github-enterprise-server-and-github-enterprise-cloud).
 
       - question: |
-          Q: What if a GitHub Enterprise user needs access to Test Plans?
+          Q: What access level should I select if a user has a GitHub Enterprise license?
         answer: |
-          A: GitHub Enterprise users who need access to Test Plans can be assigned the Basic + Test Plans access level. 
+          A: If you know a user has a GitHub Enterprise license, the best option to choose is Stakeholder, to avoid any charges for Basic before the user signs in for the first time
 
       - question: |
           Q: What if a GitHub Enterprise user also has a Visual Studio subscription?
diff --git a/docs/organizations/accounts/use-personal-access-tokens-to-authenticate.md b/docs/organizations/accounts/use-personal-access-tokens-to-authenticate.md
@@ -9,7 +9,7 @@ ms.assetid: d980d58e-4240-47c7-977c-baaa7028a1d8
 ms.topic: how-to
 ms.author: chcomley
 author: chcomley
-ms.date: 06/12/2025
+ms.date: 06/27/2025
 monikerRange: '<= azure-devops'
 ---
 
@@ -148,9 +148,14 @@ Do the following steps to:
 
 You can revoke a PAT at any time for these and other reasons:
 
-- Revoke a PAT if you suspect it is compromised.
-- Revoke a PAT when it is no longer needed.
-- Revoke a PAT to enforce security policies or compliance requirements.
+- **Security breach**: Revoke a PAT immediately if you suspect it is compromised, leaked, or exposed in logs or public repositories.
+- **No longer needed**: Revoke a PAT when the project, service, or integration it was created for is complete or discontinued.
+- **Policy compliance**: Revoke a PAT to enforce security policies, compliance requirements, or organizational token rotation schedules.
+- **User changes**: Revoke a PAT when a team member leaves the organization or changes roles and no longer needs access.
+- **Scope reduction**: Revoke and recreate a PAT with reduced permissions when you need to limit its access capabilities.
+- **Regular maintenance**: Revoke a PAT as part of routine security hygiene and token lifecycle management.
+
+Do the following steps to revoke a PAT:
 
 1. From your home page, open user settings :::image type="icon" source="../../media/icons/user-settings-gear.png" border="false"::: and select **Personal access tokens**.
 
@@ -255,19 +260,22 @@ A: All PATs are associated with the user identity that created it. Applications
 In Azure DevOps, you can generate access tokens that aren't linked to a specific user by using Microsoft Entra tokens issued by an [application service principal or managed identity](../../integrate/get-started/authentication/service-principal-managed-identity.md). For pipelines, use [service connections](../../pipelines/library/service-endpoints.md) to securely authenticate and authorize automated tasks without relying on user-specific credentials.
 
 ### Q: How can I regenerate/rotate PATs through the API? I saw that option in the UI, but I don’t see a similar method in the API.
-The 'Regenerate' functionality available in the UI actually accomplishes a few actions, which can be replicated through API. 
+A: The 'Regenerate' functionality available in the UI actually accomplishes a few actions, which can be replicated through API. 
 
 To rotate your PAT, do the following steps:
 1. See PAT metadata with a **GET** call, 
 2. Create a new PAT with the old PAT ID using a **POST** call, 
 3. Revoke the old PAT using a **DELETE** call.
 
+### Q: How long do expired, revoked, or inactive PATs remain visible in the Azure DevOps token list?
+
+A: PATs that are expired or revoked can no longer be used or regenerated. However, they remain visible in your PAT list for audit and reference purposes. These inactive tokens typically stay visible for several months after expiration or revocation before being automatically removed from the display. This visibility helps you track your token history and ensure proper cleanup of unused credentials.
+
 ### Q: I see a "Need admin approval" pop-up when I try to use a Microsoft Entra app to call the PAT Lifecycle Management APIs.
-Your tenant's security policies require admin consent before applications can access organization resources in the organization. Reach out to your tenant administrator.
+A: Your tenant's security policies require admin consent before applications can access organization resources in the organization. Reach out to your tenant administrator.
 
 ### Q: Can I use a service principal to create or manage PATs?
-No, personal access tokens belong to a user identity. Microsoft Entra [service principals or managed identities](../../integrate/get-started/authentication/service-principal-managed-identity.md) are able to generate short-lived Microsoft Entra tokens that can be used in most places where a PAT is accepted. Learn more about [our efforts to reduce PAT usage across Azure DevOps](https://devblogs.microsoft.com/devops/reducing-pat-usage-across-azure-devops/) and explore replacing PATs with Microsoft Entra tokens.
-
+A: No, PATs belong to a user identity. Microsoft Entra [service principals or managed identities](../../integrate/get-started/authentication/service-principal-managed-identity.md) can generate short-lived Microsoft Entra tokens that you can use in most places where a PAT is accepted. Learn more about [our efforts to reduce PAT usage across Azure DevOps](https://devblogs.microsoft.com/devops/reducing-pat-usage-across-azure-devops/) and explore replacing PATs with Microsoft Entra tokens.
 
 ## Related articles
 
