Our overall goal is to have our users authenticate with credentials separate from their Active Directory credentials. The reason for this is that if they are using AD credentials and their credentials are compromised, then the attacker would have access to everything that authenticates with their AD credentials. Alternatively, with a Bitbucket HTTP access token, the attacker would only have access to Bitbucket and that token could easily be revoked.  We have tried to accomplish this by disabling the "Allow basic authentication" option under Authentication Methods but currently this is all handled through a GET request and both basic auth with username and password and tokens are serviced by the same endpoint and treated the same. So disabling basic auth API access disables all of them.

The bearer token method mentioned here does work but is impractical.

We would like to be able to remove our users ability to authenticate and perform git operations and API requests using their username/password and instead force them to  use an Access Token without needing to pass bearer token headers similar to the example on the Github documentation page here.