AzureDevOps - Failed to fetch access token after moving subscription to different AD

Question

Moved azure subscription from active directory AD1 to active directory AD2. Now tasks start failing as previous ARM endpoint (via Auto SPN) got created with old endpoint details. Hence tasks are not able to generate right access token.

Error Message

The access token is from the wrong issuer 'https://sts.windows.net/***/'. It must match the tenant 'https://sts.windows.net/<TenantIdNew>/' associated with this subscription.
Please use the authority (URL) 'https://login.windows.net/<TenantIdNew>' to get the token. 
Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later. (CODE: 401)

Additional Questions

1. How do I find which tenant my VSTS is backing? Where can I find it?
2. How do I find which tenant my subscription is backed? Where can I find it?
3. Is it possible to re-use service endpoints created earlier (with AD1) after the move to AD2?
4. Is it possible to update the tenant Id (via REST API) in existing service endpoints after the move to AD2?
5. Will MSI based service endpoints be broken or will they be available after move to AD2?

Answer 1

There are the following possible solutions:

1. Change your backed active directory by AzureDevOps account from AD1 to AD2
2. Build trust relationship b/w active directory AD1 and AD2.
3. First, create SPN via script and then create a manual endpoint with details provided by the script.

Answers to additional Questions

1. How do I find which tenant my VSTS is backing? Where can I find it?

   Go AzureDevOps account > Organization > Azure Active Directory

2. How do I find which tenant my subscription is backed? Where can I find it?

   Go to Azure portal > Subscriptions > select your subscription > overview

3. Is it possible to re-use service endpoints created earlier (with AD1) after the move to AD2?

   Yes.

   First Let's understand what a service endpoint does internally.

   1. Creates an app in AD.
   2. Assign permission to it over the subscription.

   
   Now let's go through our case,

   1. You created a service connection with AD1, means AD app app1 is being created in active directory AD1 and assigned permission on subscription S
   2. You moved subscription S to another active directory AD2, but AD app app1 still resides in previous active directory AD1.

   
   To re-use existing service endpoint you have to update SPN Id, SPN key and tenant Id in the service endpoint.

   In case of manual service connection, it's easy to update via UI but in case of auto SPN flow, you have to update the above mentioned fields via REST API.

4. Is it possible to update the tenant Id (via REST API) in existing service endpoints after the move to AD2?

   Yes.

   Get all endpoints

   REQUEST TYPE - GET

   https://<accountName>.visualstudio.com/<ProjectName>/_apis/distributedtask/serviceendpoints?api-version=3.2-preview.1
   

   Get a specific endpoint

   REQUEST TYPE - GET

   https://<accountName>.visualstudio.com/<ProjectID>/_apis/distributedtask/serviceendpoints/<SERVICE_ENDPOINT_ID>?api-version=3.2-preview.1
   

   Now update tenant Id in response and use it as a body in update endpoint REST API.

   Update endpoint

   REQUEST TYPE - PUT

   https://<accountName>.visualstudio.com/<ProjectID>/_apis/distributedtask/serviceendpoints/<SERVICE_ENDPOINT_ID>?api-version=3.2-preview.1
   

5. Will MSI based service endpoints be broken or will they be available after move to AD2?

   Yes, you only need to update the tenant Id in service connection.