diff --git a/docs/usage/nuget.md b/docs/usage/nuget.md
index 26c954ef22792703d437c2b5e56f8df10f17e29d..49a4b0c2eaf865f8980147aa56ec9bb75c762c56 100644
--- a/docs/usage/nuget.md
+++ b/docs/usage/nuget.md
@@ -113,6 +113,7 @@ If you're using Azure DevOps, you can set `matchHost` to `pkgs.dev.azure.com`.
 !!! note
     Only Basic HTTP authentication (via username and password) is supported.
     For Azure DevOps, you can use a PAT with `read` permissions on `Packaging` plus an empty username.
+    The generated `nuget.config` enforces basic authentication and cannot be overridden externally!
 
 ## Future work
 
diff --git a/lib/modules/manager/nuget/config-formatter.spec.ts b/lib/modules/manager/nuget/config-formatter.spec.ts
index 1912efab477fae50539d1ebab3e1ebdcf7dcf545..edd1bcb01bf52ebf77b77a19f4c9464425823b79 100644
--- a/lib/modules/manager/nuget/config-formatter.spec.ts
+++ b/lib/modules/manager/nuget/config-formatter.spec.ts
@@ -112,6 +112,13 @@ describe('modules/manager/nuget/config-formatter', () => {
           ?.attr['value']
       ).toBe('some-password');
 
+      expect(
+        myRegistryCredentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
+
       const myRegistry2Credentials = xmlDocument.descendantWithPath(
         'packageSourceCredentials.myRegistry2'
       );
@@ -122,6 +129,13 @@ describe('modules/manager/nuget/config-formatter', () => {
         myRegistry2Credentials?.childWithAttribute('key', 'ClearTextPassword')
           ?.attr['value']
       ).toBe('some-password');
+
+      expect(
+        myRegistry2Credentials?.childWithAttribute(
+          'key',
+          'ValidAuthenticationTypes'
+        )?.attr['value']
+      ).toBe('basic');
     });
 
     it('escapes registry credential names containing special characters', () => {
diff --git a/lib/modules/manager/nuget/config-formatter.ts b/lib/modules/manager/nuget/config-formatter.ts
index 00277758847b3f14f6cc3b5bc5a33ca2694a06ae..9f5355fc77bc00221720f3203e5c7425fb6aae4a 100644
--- a/lib/modules/manager/nuget/config-formatter.ts
+++ b/lib/modules/manager/nuget/config-formatter.ts
@@ -98,6 +98,8 @@ function formatPackageSourceCredentialElement(
     packageSourceCredential += `<add key="ClearTextPassword" value="${credential.password}" />\n`;
   }
 
+  packageSourceCredential += `<add key="ValidAuthenticationTypes" value="basic" />`;
+
   packageSourceCredential += `</${escapedName}>\n`;
 
   return packageSourceCredential;