Azure DevOps: AZURE_FEDERATED_TOKEN not injected in pipeline using Workload Identity Federation

Question

We are trying to use Workload Identity Federation (OIDC) in Azure DevOps Pipelines to authenticate with a Service Principal in Azure AD.

However, the AZURE_FEDERATED_TOKEN is not being injected into the environment, and the variables IDENTITY_ENDPOINT and SYSTEM_IDENTITY are also missing.

We have confirmed that:

• The Service Connection was created using Workload Identity Federation from within Azure DevOps
• The subject sc://<org>/<project>/<connection> is correctly configured
• The pipeline is YAML-based
• addSpnToEnvironment: true is set
• The pipeline runs on windows-latest (hosted agent)
• The login to Azure via the federated SP works
• But the token is never available in the environment

Could you please confirm if OIDC token injection is enabled for all DevOps organizations, or if it needs to be explicitly enabled for ours?

Let me know if I should provide the organization/project name privately.

Thanks!

Answer 1

Hello Albert Ventura,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that AZURE_FEDERATED_TOKEN not injected in pipeline using Workload Identity Federation.

To resolve the issues:

1. Check that the Issuer URL follows this pattern: https://vstoken.dev.azure.com/<org-id> For references: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#workload-identity-federation You can go to Project Settings > Service Connections > to ensure the connection uses workload Identity Federation (OIDC).
2. In your pipeline YAML Configuration, replace the incorrect settings (addSpnToEnvironment: true) and use a properly configured AzureCLI@2 task:

      - task: AzureCLI@2
        inputs:
          azureSubscription: <Service-Connection-Name>
          scriptType: pscore
          script: |
            az login --federated-token "$env:AZURE_FEDERATED_TOKEN" --service-principal -u $env:ARM_CLIENT_ID -t $env:ARM_TENANT_ID
      
   

   For references: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/azure-cli-v2?view=azure-pipelines
3. Use windows-2022 (or Ubuntu 20.04+) to run a compatible agent. By ensure agent has:
   • Azure CLI 2.30+
   • Azure PowerShell 9.0+
   For reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#software
4. You can also add a step to check if the AZURE_FEDERATED_TOKEN is present:

      - script: env | sort
        displayName: Print environment variables
   

   If the token is missing, it means OIDC is not configured correctly.
5. About the service pricipal, you will need to check if the Service Principal has the correct RBAC role on the target Azure resource using shell command:

      az role assignment create --assignee <Client-ID> --role "Contributor" --scope <Azure-Resource-ID>
   

   For a reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
6. Finally, check organization Security Policies (If Required) by navigate to: Organization Settings > Security > Policies. This is to affirm Third-party application access via OAuth is enabled. For a reference: https://learn.microsoft.com/en-us/azure/devops/organizations/security/change-application-access-policies?view=azure-devops&tabs=preview-page

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer.