Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Azure DevOps Services | Azure DevOps Server 2022 - Azure DevOps Server 2019
This article presents the common troubleshooting scenarios to help you resolve issues you might encounter when creating an Azure Resource Manager service connection. See Manage service connections to learn how to create, edit, and secure service connections.
If you don't have a service connection, you can create one as follows:
From within your project, select Project settings, and then select Service connections.
Select New service connection to add a new service connection, and then select Azure Resource Manager. Select Next when you're done.
Select App registration (automatic) as the Identity type and Workload identity federation as the credential.
Select Subscription, and then select your subscription from the drop-down list. Fill out the rest of the form and then select Save when you're done.
When you save your new Azure Resource Manager service connection, Azure DevOps does the following actions:
Note
To create service connections, you need to be assigned the Creator or Administrator role for the Endpoint Creator group in your project settings: Project settings > Service connections > More Actions > Security. Project Contributors are added to this group by default.
The following issues might occur when you create service connections:
Sign in to the Azure portal using an administrator account. The account should be an owner or user account administrator
Select Microsoft Entra ID in the left navigation bar.
Ensure you're editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and sign in using the appropriate credentials if necessary.
Select Users from the Manage section.
Select User settings.
Select Manage external collaboration settings from the External users section.
Change the Guest user permissions are limited option to No.
Alternatively, if you're prepared to give the user administrator-level permissions, you can make the user a member of an Administrator role. Do the following steps:
Warning
Assigning users to the Global Administrator role allows them to read and modify every administrative setting in your Microsoft Entra organization. As a best practice, assign this role to fewer than five people in your organization.
Sign in to the Azure portal using an administrator account. The account should be an owner or user account administrator.
Select Microsoft Entra ID from the left navigation pane.
Ensure you're editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and sign in using the appropriate credentials if necessary.
Select Users from the Manage section.
Use the search box to search for the user you want to manage.
Select Directory role from the Manage section, and then change the role. Select Save when you're done.
It typically takes 15 to 20 minutes to apply the changes globally. The user then can try recreating the service connection.
You must have permissions to add integrated applications in the directory. The directory administrator has permissions to change this setting.
Select Microsoft Entra ID in the left navigation pane.
Ensure you're editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and sign in using the appropriate credentials if necessary.
Select Users, and then select User settings.
Under App registrations, and then change the Users can register applications option to Yes.
You can also create the service principal with an existing user who already has the required permissions in Microsoft Entra ID. For more information, see Create an Azure Resource Manager service connection with an existing service principal.
These errors typically occur when your session is expired. To resolve these issues:
This error typically occurs when you are part of multiple Entra ID tenants. Follow the below steps to resolve to verify and resolve the issue.
Navigate to VS profile.
Check whether you have multiple tenants.
Select each tenant, and then reauthenticate.
Try to create a service connection, and then check whether the subscription loads.
This error typically occurs when you don't have Write permission for the selected Azure subscription.
To resolve this issue, ask the subscription administrator to assign you the appropriate role in Microsoft Entra ID.
Maximum of 50 Azure subscriptions listed in the various Azure subscription drop-down menus (billing, service connection, and so on): If you're setting up a service connection and you have more than 50 Azure subscriptions, some of your subscriptions aren't listed. In this scenario, complete the following steps:
Old user token cached in Azure DevOps Services: If your Azure subscription isn't listed when you create an Azure Resource Manager (ARM) service connection, it might be due to an old user token cached in Azure DevOps Services. This scenario isn't immediately obvious as the list screen of Azure subscriptions doesn't display any errors or warning messages indicating that the user token is outdated. To resolve this issue, manually update the cached user token in Azure DevOps Services by doing the following steps:
Change support account types settings: This issue can be fixed by changing the supported account types settings and defining who can use your application. Do the following steps:
Sign in to the Azure portal.
If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
Select Microsoft Entra ID from the left pane.
Select App registrations.
Select your application from the list of registered applications.
Under Authentication, select Supported account types.
Under Supported account types, Who can use this application or access this API? select Accounts in any organizational directory.
Select Save when you're done.
Old user token cached in Azure DevOps Services: If your Azure subscription isn't listed when you create an Azure Resource Manager (ARM) service connection, it might be due to an old user token cached in Azure DevOps Services. This scenario isn't immediately obvious as the list screen of Azure subscriptions doesn't display any errors or warning messages indicating that the user token is outdated. To resolve this issue, manually update the cached user token in Azure DevOps Services by doing the following steps:
An issue that often arises with service principals or secrets that are automatically created is that the token expires and needs to be renewed. If you have an issue with refreshing the token, see Failed to obtain an access token or a valid refresh token wasn't found.
If your token expired, you could see one of the error messages:
AADSTS7000215: Invalid client secret is provided
AADSTS7000222: The provided client secret keys for app '***' are expired
Invalid client id or client secret
To renew the access token for an automatically created service principal or secret:
Go to Project settings > Service connections, and then select the service connection you want to modify.
Select Edit in the upper-right corner.
Select Save.
The token for your service principal or secret is now renewed for three more months.
Note
This operation is available even if the service principal's token has not expired. Make sure that the user performing the operation has proper permissions on the subscription and Microsoft Entra ID, because it will update the secret for the app registered for the service principal. For more information, see Create an Azure Resource Manager service connection using automated security and What happens when you create a Resource Manager service connection?
This issue occurs when you try to save a service connection that has an expired secret or there are some other issues at the Entra ID level.
To resolve this issue:
Go to Project settings > Service connections, and then select the service connection you want to modify.
Select Edit in the upper-right corner, and then make any change to your service connection. The easiest and recommended change is to add a description.
Select Save to save the service connection.
Note
If you get an error like Failed to obtain the Json Web Token(JWT) using service principal client ID. Exception message: AADSTS7000112: Application is disabled.
, you need to work with your Entra ID team to confirm that the option Enabled for users to sign-in in the enterprise application linked with your service principal is not disabled.
When you set your Azure subscription dynamically for your release pipeline and want to consume the output variable from a preceding task, you might encounter this issue.
To resolve the issue, ensure that the values are defined within the variables section of your pipeline. You can then pass this variable between your pipeline's tasks.
An Azure Resource Manager service connection can connect to an Azure subscription by using a Service Principal Authentication (SPA) or managed identity authentication.
The Azure Resource Manager service connection can connect to an Azure subscription, management group, or machine learning workspace using:
When setting up the service connection with a managed identity as the authentication method, the process doesn’t create a new managed identity; it simply establishes the service connection. For this to function correctly, certain conditions must be met. Specifically, because managed identity is the chosen authentication method, there should be a system-assigned identity on the virtual machine you're using. Additionally, this virtual machine needs to act as a self-hosted agent within the pipelines for the workflow to fully execute, allowing the pipeline to deploy changes through the service connection. The system-assigned identity on the VM identifies that the same VM is serving as the agent in the pipeline, enabling authentication. This allows you to leverage the existing managed identity setup.
To learn about managed identities for virtual machines, see Assigning roles.
Note
Managed identities aren't supported in Microsoft-hosted agents. In this scenario, you must set up a self-hosted agent on an Azure VM and configure a managed identity for that VM.
Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Authenticate your Azure deployment pipeline by using service principals - Training
Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure.
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.