In Azure DevOps you can use personal access tokens (PAT) as an alternate form of user authentication. PATs are helpful for tools integrated with Azure DevOps where you cannot use Azure Active Directory authentication.
To create a personal access token sign in to Azure DevOps and from the User Settings select Personal access tokens. Select + New Token, fill in the details and copy the token value.
Now, if you want the agent of a CI/CD pipeline to perform activities that need a Personal Access Token (e.g. updating variable groups), obviously you cannot login with this account to create a personal access token. But the agent already has a security token. You can access it using System.AccessToken
System.AccessToken is a special variable that carries the security token used by the running build.
To enable your script to use the pipeline OAuth token, you will have to enable Allow scripts to access the OAuth token in the agent properties:
For other predefined variables in Azure Pipelines see https://docs.microsoft.com/en-us/azure/devops/pipelines/build/variables