Personal Access Tokens (PAT's) are an industry standard way to secure a web service endpoint or API. What does that mean? Everyone wants an open platform, but that doesn't mean it should be open to everyone! Clearly you need to control "who" can and cannot access your data, but you also need to be able to control "what" can and cannot access it. A PAT allows you to control access to your data (and to update it if necessary) via third party processes, systems such as reporting tools. 

Before you can use an OData compatible reporting tool or integration, you need to authenticate yourself and then generate an authentication token for the third party application. That sounds pretty techy but it's actually very simple:

1. First of all, log into the 365 portal via

2. Use the menu to navigate to Settings / Personal Access Tokens.    

3. This table shows you all the PAT (Personal Access Tokens) that you have created, as well as allowing you to view and revoke them.    

4. Click the "Add" button to create a new token.  
5. Select the scope that you require. In this instance you want access to the OData API, then click next.    

6. Give it a useful name (that you will recognise when you look at the list in a month's time and wonder if you should or shouldn't revoke this token!).

7. Then, consider carefully the expiry date of the PAT, for security reasons you don't want to create every PAT with an unlimited expiry, but if you plan to publish your Power BI, or other dashboards for your colleagues to access, then you probably don't want the PAT expiring as soon as you share it. Renewing the PAT in a year might be the best compromise, or if you want minimal hassle and are confident about how this token is to be used, and so aren't too worried about the security implication, then select "never" expire. (After all, you can return to this screen and revoke any PAT, at any time, even if you initially set it to never expire).

8. Clicking "Next" will generate your token. Don't forget to copy this token and keep it safe. Once you close the screen the token cannot be regenerated (although you can revoke it and generate a new one).

9. Finally, a note of caution - this PAT is like your credit card PIN. Never explicitly share it with anyone, as doing so would allow identity fraud within your organisation... other users who require PAT's should generate their own, using their own credentials.

Did this answer your question?