Our good practice here is to link your Azure DevOps organization with your SonarCloud one : You will be asked for one and only one PAT at the beginning of the operation, and organization setting will be the only place to update it when it will expire.