What is the scope of the token in $(System.AccessToken) in Azure DevOps pipelines

System.Accesstoken is a PAT token generated for the service identity “Project Collection Build Service (account)”. This token is valid for 48 hours. However if you have mentioned a job timeout, then its valid for jobTimeout + JobcancellationTimeout + 5 minutes of grace period for any system delays. This is to make sure that token is valid only upto the job timedout. This token has the app scope. In other words it has all scopes. Note, it has all scopes does not mean it has all the permissions. When you use this token you can make any rest calls to that account, the scope rule will not interfere, however individual APIs will check for the permission for the above mentioned service identity. If the service identity don’t have edit release permission and if you are using this token to modify a release, the scope rule will let you through and the request will land in the corredponding API controller and there it would check for permission and return a 403 forbidden error to your client.

Secondly it is not possible to change service this service identity’s PAT to any other user identity’s PAT.