Need help converting multiple azure devops organizations Workload identity service connections to old format
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 11%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Take Bakker
0
Reputation points
We use Workload identity service connections in Azure DevOps. We have a requirement that these entra id app are configured multi-tenant however by a change of Microsoft is not working in the new format we need help converting our devops organizations back to the old method so we can keep on working without interruption.
This is the issue we are having
Update: Workload identity federation uses Entra issuer: We've changed the format of the federated credential for new Azure and Docker service connections. Specifically, we changed the Issuer and Subject format as shown: ||Azure DevOps Issuer|Entra Issuer (new service connections)| | -------- | -------- | -------- | |Issuer|
https://vstoken.dev.azure.com/<organization id>|https://login.microsoftonline.com/<Entra tenant id>/v2.0| |||| |Issuer|https://vstoken.dev.azure.com/<organization id>|https://login.microsoftonline.com/<Entra tenant id>/v2.0| |Subject|sc://<organization name>/<project name>/<service connection name>|<entra prefix>/sc/<organization id>/<service connection id>|Existing service connections will work as before without any changes required. There's no change in configuration and the way tokens are obtained stays the same. Pipeline tasks don't need to be updated and work as before. For more information, review Workload identity federation uses Entra issuer. Impacted scenarios:
- If you're using automation scripts or the Terraform Azure DevOps provider to create workload identity federation–based service connections, review the Automation section of the release notes for changes you will need to make.
- If you're facing issues with third-party tasks, contact the task owners.
- Contact your Microsoft Entra tenant administrator to make sure the federation policy in your Entra tenant supports the new format. See our Troubleshooting documentation for more information.
- The new Entra issuer format has a limitation with multi-tenant app scenarios. If you're creating a service connection for this purpose, first evaluate if your scenario actually requires multi-tenant app registration. If required, reach out to Microsoft support to request the feature be disabled for your organization.
Azure DevOps
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 65%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator2025-11-17T01:33:24.1466667+00:00 Hi Take Bakker,
Thanks for reaching out to Microsoft Q&A.
- First, assess whether the multi-tenant app registration is crucial for your scenario. If you find it unnecessary, consider reaching out to Microsoft Support to disable this feature for your organization.
- If your existing service connections were originally created by Azure DevOps, you can easily convert them back to use the older format:
- Navigate to your Azure DevOps project and go to Project settings > Service connections.
- Select the service connection you wish to reconfigure. Click on Convert, then confirm the change.
- If you have multiple service connections that need this change, consider using a script to automate the process.
Converting multiple service connections using a script.
Resolve Azure pipelines issues while making use of Workload Identity federation (WIF).
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rakesh Mishra 3,795 Reputation points Microsoft External Staff Moderator2025-11-18T13:08:18.6233333+00:00 Hi @Take Bakker , following up to see if you had a chance to check previous response and if it was helpful. Please do let me know if you're still facing the issue and need any further assistance on this.
-
Take Bakker 0 Reputation points
2025-11-19T09:37:31.0833333+00:00 Hi as said in my initial post we require multi-tenant in our scenario so we require to use the old endpoint vstoken.dev.azure.com. When I try to create a support request through the Azure Portal I am redirected to this forum so please tell me how to create a service request.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 51%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Aditya N 955 Reputation points Microsoft External Staff Moderator2025-11-21T13:02:30.5966667+00:00 Hello @Take Bakker
Please navigate to User settings -> Preview Features to disable the ‘New service connections experience’
-
Pravallika KV 2,845 Reputation points Microsoft External Staff Moderator
2025-11-24T02:17:41.62+00:00 Hi @Take Bakker , following up to see if you had a chance to check previous response and if it was helpful. Please do let us know if you're still facing the issue and need any further assistance on this.
Sign in to comment
Sign in to answer