The TF401019 error occurs when your Azure DevOps Personal Access Token (PAT) has expired. This blocks Git operations like push, pull, and clone. The fix involves generating a new PAT in Azure DevOps and updating your stored credentials.
This error indicates that the Personal Access Token (PAT) you're using to authenticate with Azure DevOps has passed its expiration date. Azure DevOps PATs are time-limited credentials that expire after a configurable period (from one day to one year), and once expired, they can no longer be used for authentication. When you perform Git operations (push, pull, clone, fetch) against an Azure DevOps repository over HTTPS, Git uses your stored credentials to authenticate. If those credentials include an expired PAT, Azure DevOps rejects the authentication attempt and returns the TF401019 error. The error commonly appears in several scenarios: 1. **Local development** - When pushing or pulling from the command line 2. **CI/CD pipelines** - When automated builds try to access repositories 3. **IDE integrations** - When Visual Studio, VS Code, or other tools access Azure DevOps 4. **Service connections** - When external services integrate with Azure DevOps repos Microsoft recommends keeping PAT lifespans short (ideally weekly or less) for security reasons, which means this error is relatively common in active development environments.
Create a new PAT to replace the expired one:
1. Sign in to Azure DevOps at https://dev.azure.com/{your-organization}
2. Click your profile icon (top right) > Personal access tokens
3. Click + New Token
4. Configure the token:
- Name: Descriptive name (e.g., "Development laptop - Git access")
- Organization: Select your organization
- Expiration: Choose duration (Microsoft recommends weekly, but 90 days is common)
- Scopes: Select Code > Read & write (or Full for complete access)
5. Click Create
6. Copy the token immediately - you won't be able to see it again!
# Store your new PAT somewhere secure (password manager recommended)
# You'll need it in the next stepsTip: Consider setting a calendar reminder a few days before expiration to avoid this error recurring.
Remove the old cached credentials so Git will prompt for the new token:
Using Windows GUI:
1. Press Windows key and search for Credential Manager
2. Click Windows Credentials
3. Look for entries starting with:
- git:https://dev.azure.com/{organization}
- git:https://{organization}@dev.azure.com
- git:https://{organization}.visualstudio.com
4. Click each entry and select Remove
Using Command Line:
# List all credentials
cmdkey /list
# Delete Azure DevOps credentials (adjust the target name as needed)
cmdkey /delete:git:https://dev.azure.com/your-organization
cmdkey /delete:LegacyGeneric:target=git:https://dev.azure.com/your-organization
# Alternative: Delete all Git credentials for Azure DevOps
cmdkey /list | Select-String "dev.azure.com" | ForEach-Object {
$target = ($_ -split ":")[1].Trim()
cmdkey /delete:$target
}After removing credentials, your next Git operation will prompt for authentication.
Use your new token for Git authentication:
When prompted for credentials:
# Run any Git command that requires authentication
git fetch origin
# When prompted:
# Username: [email protected] (or your Azure DevOps username)
# Password: paste-your-new-PAT-hereEmbedding token in the remote URL (for testing):
# Check current remote
git remote -v
# Temporarily test with embedded token
git ls-remote https://[email protected]/org/project/_git/repoClone with PAT:
# Clone using PAT in URL (don't commit this!)
git clone https://[email protected]/org/project/_git/repoConfigure credential caching:
# Use Git Credential Manager (recommended)
git config --global credential.helper manager
# Or cache for a specific time (1 hour = 3600 seconds)
git config --global credential.helper 'cache --timeout=3600'If the error occurs in CI/CD pipelines, update the service connection:
1. Go to Project Settings > Service connections
2. Find the affected service connection (usually type "Azure Repos/Team Foundation Server")
3. Click the connection name > Edit
4. Update the Password/PAT field with your new token
5. Click Save
For YAML pipelines using checkout:
# If using a service connection
resources:
repositories:
- repository: MyRepo
type: git
name: Project/RepoName
endpoint: MyServiceConnection # Update this service connection
steps:
- checkout: MyRepoAlternative - Use system access token:
steps:
- checkout: self
persistCredentials: true
- script: |
git -c http.extraheader="AUTHORIZATION: bearer $(System.AccessToken)" fetch
displayName: 'Git operations with system token'This uses the pipeline's built-in token which doesn't expire like personal PATs.
If you're on macOS or Linux, clear credentials differently:
On macOS (Keychain):
# Remove Azure DevOps credentials
git credential-osxkeychain erase
host=dev.azure.com
protocol=https
# Press Enter twice
# Or use Keychain Access app:
# 1. Open Keychain Access
# 2. Search for "dev.azure.com"
# 3. Delete matching entriesOn Linux:
# Check your credential helper
git config --global credential.helper
# If using 'store' (plain text file)
# Edit or remove entries from ~/.git-credentials
nano ~/.git-credentials
# Remove lines containing dev.azure.com
# If using 'cache', exit the cache daemon
git credential-cache exit
# If using libsecret (GNOME)
# Open "Passwords and Keys" (Seahorse) and remove Azure DevOps entriesTest authentication:
# Force re-authentication
GIT_TERMINAL_PROMPT=1 git fetch origin
# Enter your new PAT when promptedGit Credential Manager (GCM) handles Azure DevOps authentication automatically:
Install GCM:
# Windows: Included with Git for Windows
# macOS
brew install git-credential-manager
# Linux (Debian/Ubuntu)
curl -LO https://github.com/git-ecosystem/git-credential-manager/releases/latest/download/gcm-linux_amd64.deb
sudo dpkg -i gcm-linux_amd64.debConfigure for Azure DevOps:
# Set GCM as credential helper
git config --global credential.helper manager
# Enable Azure DevOps-specific features
git config --global credential.azreposCredentialType oauth
# Alternative: Force PAT-based authentication
git config --global credential.azreposCredentialType patGCM benefits:
- Automatic token refresh (for OAuth)
- Secure credential storage
- Multi-account support
- Browser-based authentication option
# Trigger interactive login
git credential-manager azure-repos login
# List configured credentials
git credential-manager listPrevent future expiration issues with proactive management:
Azure DevOps notifications:
- Azure DevOps sends email notifications 7 days before PAT expiration
- Ensure your notification settings are enabled: User Settings > Notifications
Track PAT expiration:
# View your PATs and their expiration dates
# Navigate to: https://dev.azure.com/{org}/_usersSettings/tokensBest practices:
1. Use descriptive names - Include the purpose and machine name
2. Set appropriate lifespans - Balance security vs. convenience
3. Use minimum required scopes - Only grant permissions you need
4. Document your PATs - Track where each PAT is used
5. Use managed identities - For Azure-hosted services when possible
Consider alternatives:
- OAuth - GCM supports browser-based OAuth flow
- SSH keys - Don't expire (unless you configure expiration)
- Managed identities - For Azure VMs and services
- Service principals - For automation scenarios
# Switch to SSH authentication
git remote set-url origin [email protected]:v3/org/project/repo
# Test SSH connection
ssh -T [email protected]### Understanding Azure DevOps Authentication Methods
Azure DevOps supports multiple authentication mechanisms:
| Method | Best For | Expiration |
|--------|----------|------------|
| PAT | Local development, CI/CD | Configurable (1 day - 1 year) |
| OAuth | Interactive applications | Token refresh available |
| SSH Keys | Developer workstations | No expiration by default |
| Managed Identity | Azure-hosted resources | No credentials to manage |
| Service Principal | Automated processes | Certificate-based |
### Microsoft Entra ID (Azure AD) Backed Organizations
For organizations using Microsoft Entra ID:
# PATs must be used within 90 days of creation or they become inactive
# Even if the expiration date is further in the future
# To reactivate, sign in to Azure DevOps through the browser first
# Then re-use your PAT### CI/CD Pipeline Best Practices
For Azure Pipelines, avoid using personal PATs when possible:
# Use the built-in System.AccessToken (no expiration concerns)
steps:
- checkout: self
persistCredentials: true
- script: |
git push https://$(System.AccessToken)@dev.azure.com/org/project/_git/repo
displayName: 'Push changes'
env:
GIT_TERMINAL_PROMPT: 0### Troubleshooting Persistent Issues
If the error persists after updating credentials:
# Enable verbose Git output
GIT_TRACE=1 GIT_CURL_VERBOSE=1 git fetch origin 2>&1
# Check credential helper configuration
git config --list --show-origin | grep -i cred
# Verify remote URL format
git remote -v
# Should be: https://dev.azure.com/org/project/_git/repo
# Or: https://org.visualstudio.com/project/_git/repo (legacy)### Organization Policy Considerations
Administrators can set PAT policies:
- Maximum PAT lifespan
- Required scopes for new PATs
- Restriction of PAT creation
Check with your administrator if you're unable to create PATs with your desired settings.
### Revoking Compromised PATs
If you suspect a PAT has been compromised:
1. Go to User Settings > Personal Access Tokens
2. Find the token and click Revoke
3. Generate a new PAT immediately
4. Update all services using the old token
### Using az devops CLI
# Install Azure CLI with DevOps extension
az extension add --name azure-devops
# Login (uses browser)
az login
# Set default organization
az devops configure --defaults organization=https://dev.azure.com/YourOrg
# Clone using CLI authentication
az repos clone --repository RepoNamekex_exchange_identification: Connection closed by remote host
Connection closed by remote host when connecting to Git server
fatal: unable to access: Proxy auto-configuration failed
How to fix 'Proxy auto-configuration failed' in Git
fatal: unable to access: Authentication failed (proxy requires basic auth)
How to fix 'Authentication failed (proxy requires basic auth)' in Git
fatal: unable to access: no_proxy configuration not working
How to fix 'no_proxy configuration not working' in Git
fatal: unable to read tree object in treeless clone
How to fix 'unable to read tree object in treeless clone' in Git