diff --git a/tools/secret-management/Azure.Sdk.Tools.SecretRotation.Stores.AzureDevOps/ServiceAccountPersonalAccessTokenStore.cs b/tools/secret-management/Azure.Sdk.Tools.SecretRotation.Stores.AzureDevOps/ServiceAccountPersonalAccessTokenStore.cs
index 80005e34497..ca5f0f49023 100644
--- a/tools/secret-management/Azure.Sdk.Tools.SecretRotation.Stores.AzureDevOps/ServiceAccountPersonalAccessTokenStore.cs
+++ b/tools/secret-management/Azure.Sdk.Tools.SecretRotation.Stores.AzureDevOps/ServiceAccountPersonalAccessTokenStore.cs
@@ -131,6 +131,10 @@ public override async Task<SecretValue> OriginateValueAsync(SecretState currentS
 
         PatTokenResult result = await client.CreatePatAsync(new PatTokenCreateRequest { AllOrgs = false, DisplayName = this.patDisplayName, Scope = this.scopes, ValidTo = expirationDate.UtcDateTime });
 
+        if (result.PatTokenError != SessionTokenError.None) {
+            throw new RotationException($"Unable to create PAT: {result.PatTokenError}");
+        }
+
         string authorizationId = result.PatToken.AuthorizationId.ToString();
 
         this.logger.LogInformation("Azure DevOps responded with authorization id '{AuthorizationId}'", authorizationId);