Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure
I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
- Azure C# Cosmos DB: Property "id" is missing when it's actually present
- Azure Permission - needed for creating resource group - RBAC
- Unable to locate executable file: 'bash'. Please verify either the file path exists
- Can the Azure Service Bus be delayed before retrying a message?
- azure documentdb create document duplicates Id property
- JWT validation failure error in azure apim
- Azure App Service and Application Insights where is performance test?
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Change Default Service Version of Microsoft Azure Blob - PHP
- Microsoft Graph: How to filter users by domain name
- Azure App Service Plan CPU Spikes to 100%
- Unable to Authenticate to DevOps API with Angual MSAL
- Azure Databricks: Not able to parameterize keys option of dlt.apply_changes
- ASP.NET Core 3.1 Azure AD Authentication throws OptionsValidationException
- Attaching a private static ip address to Azure Container Instance
- Azure Synapse severless SQL pool - query execution fails
- How to login via Service Principal having Federated Credentials rather than Client Secrets
- Where can I find the resource id of an Azure function app in the Azure portal?
- How to forward access-control-allow-origin header from a Web App to a Front Door?
- Basic SQL commands in Terraform
- Linux Azure Webjob in nodejs referring to node.exe
- Running Azure functions locally gives "No runtime" error after .NET7 upgrade
- Azure DataSync tables not showing up
- Azure ML: Unable to find workspace
- unable to start 'Docker for windows' on Azure Win 10 VM
- How to enable virtualization in Azure VM
- Configuring AppSettings with ASP.Net Core on Azure Web App for Containers: Whither Colons?
- how to get v2 type token using msal python
- The mock in my pester test keeps calling Connect-AzAccount
- HttpResponseError in Azure Ai search