Recently changed azure subscription and I need to add the same in Azure DevOps – service connection. When trying to create new service connection for the changed subscription I am getting below error -
Failed to query service connection API: 'https://management.azure.com/subscriptions/{id}/resourcegroups?api-
version=2016-02-01'. Status Code: 'Unauthorized', Response from
server:
'{"error":{"code":"InvalidAuthenticationTokenTenant","message":"The
access token is from the wrong issuer
'https://sts.windows.net/{id}/'. It must match the tenant
'https://sts.windows.net/{id}/' associated with this
subscription. Please use the authority (URL)
'https://login.windows.net/{id}' to get the token. Note, if the
subscription is transferred to another tenant there is no impact to
the services, but information about new tenant could take time to
propagate (up to an hour). If you just transferred your subscription
and see this error message, please try back later."}}'
With the subscription - azure active directory is also changed. Do I need to change AD in AzureDevops? or How do I resolve this error?
Thanks.
If your subscription is in another tenant, you may need to change it.
See : https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/change-azure-ad-connection?view=azure-devops
Related
I've been trying to connect Azure monitor to my Grafana dashboard, which is deployed in a Kubernetes cluster. For this I created an app registration in Azure and assigned the 'Reader' role to it. Afterwards I filled in my Azure credentials at the Azure Monitor page in Grafana. I was able to retrieve the right subscription and receive a positive response.
But after this, when I want to open a dashboard, I receive the following error message:
Error updating options: The client '++++' with object id '++++' does
not have authorization to perform action
'microsoft.insights/metricNamespaces/read' over scope
'/subscriptions/++++/resourceGroups/++++;/providers/microsoft.insights'
or the scope is invalid. If access was recently granted, please
refresh your credentials
I'm really stuck now, because I thought that the Reader role would fix this. Anyone experienced this before?
I have tried to assign multiple roles and also created new ones and assigned them to the Grafana app registration. I expect the dashboard to be able to read the data from Azure. There is an connection between Azure and Grafana now, but it is not able to pull the data.
My bad, I figured it out. I needed to assign the Reader role on the subscription level and not only on resource group level. Hopefully this will help someone else in the future.
My requirement is to use Azure Devops services to create services connection, so I created an azure AD application in azure portal
In azure Devops project setting I created a new service connection but when I click on verify it throws me the error:
Failed to query service connection API "https://managemant.azure.com/sub/xxx?api-version=2016-06-01.status code:'status code:{"error",:{code""Authorization failed message" 'the client" with object id "does not have authorization to perform action 'microsoft.resource/sub/read,over scope'/sub/*** or scope is invalid.if access was recently granted.please refresh your credentials}}
The document I am referring to is https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#use-spn
Would appreciate any assistance on this
TIA
I tried to reproduce the same in my environment and got the same error as below:
To resolve the error, assign reader role/permission to the Azure AD Application on the subscription level like below:
Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment
Verification is successful after assigning the role like below:
You can also assign contributor role based on your requirement.
According to the error message, you can try go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment use the object id. And then try to create a new service connection to check if it works.
The Service Principal or Managed Identity currently you are using from Azure Devops does not have permission to create another service principal. You have to assign specific permissions for create a service principal on your Azure AD tenant. You may try providing "Application Developer" role to the ID which you are using to authenticate from Az Devops.
Please refer this MS link for reference:
Permsissions
I am just new to Azure Cloud and Devops, so forgive me if I may forget some critical info here.
So during creation of tasks for the release and selecting subscriptions, I get an error when trying to authorize the subscription (which I suspect is because of insufficient permissions associated to my account), so I go to advanced options to select the managed identity authentication.
After which no error shows now. So I set all remaining items and assign Deploy Azure App Service task. However during the running of the agent I get an error during Deploy Azure App Service step.
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'sample-vue'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request
I have already set my azure app service to have a system assigned managed identity, but still this error occurs. I can't find any answer, online, with regards to the error above so hoping that someone could help explain to me the problem and how to possibly fix it. My hunch now is that I may have some insufficient permissions, but I don't know what it may be.
Please try the following items:
Remove and re-add the service connection in DevOps.
Check the rights of the account on Azure subscription. Please verify if the account has at least contributor access on Azure subscriptions. Check https://learn.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator
We currently have one DevOps repository, with a functional CI/CD pipeline. We have another website hosted on a different instance (and different region) on Azure. We are trying to use our existing repo to deploy to the other Azure instance, but it is giving is the following message:
Failed to query service connection API: 'https://management.azure.com/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client '2317de35-b2c2-4e32-a922-e0d076a429f5' with object id '2317de35-b2c2-4e32-a922-e0d076a429f5' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/c50b0601-a951-446c-b637-afa8d6bb1a1d'."}}'
I have tried all of the recommended trouble-shooting, making sure that the user is in a Global Administrator role and what-not, but still not luck. The secondary Azure subscription that we are hoping to push our builds to is a trial account. I'm not sure if it being a trial account matters.
I came across the same error. It turns out that, as the error message states, the service principal didn't have Read permission over the subscription. So the solution was to go to Azure Portal, select the subscription, select IAM and assign the role Reader to my service principal. Full explanation on here:
https://clydedz.medium.com/connecting-azure-devops-with-azure-46a908e3048f
I have the same problem. There are one repository and two instances of the application on the Azure portal. For the first instance, the subscription Pay-As-You-Go is used, and there were no problems for it when creating the service connection and CI/CD settings. For the second instance, a free subscription is used and when trying to create a new service connection (Azure Resource Manager) I get the same error.
I tried to do it with the permissions of Owner and Contributor
UPD: I was helped by the re-creation of the application in the azure portal
https://learn.microsoft.com/en-ca/azure/active-directory/develop/howto-create-service-principal-portal
Another option would be to save without verification if the Service Principle will not require permissions at the Subscription level. Like for example providing access to a Keyvault.
Check if the service connection for the second instance is correctly added in project settings:
We are trying to connect our existing VSTS account to AAD following the instructions at: https://learn.microsoft.com/en-us/vsts/accounts/connect-account-to-aad?view=vsts
When we try to perform the step at: 'Connect your VSTS account to your organization directory' #6, we receive the following error:
Account ****** connection to an AAD Tenant failed due to the error : Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.
We have tried this with 2 separate MSA accounts; one was existing, one we create from scratch. The MSA accounts are added as a guest to AAD. We have made it owner on the subscription, is there a permission that I am missing?
One answer said they just had to wait 12 hours, we have waited 24 with no change.
Any help would be appreciated.
Edit
Hopefully this helps:
Request is to:
PATCH https://peprodscussu2.portalext.visualstudio.com/_apis/AzureTfs/Account/b7615ac7-c2f6-466c-9f73-b8ed37258259?tenantId=f1295c9e-6264-403f-a42b-5be8fd3266fa HTTP/1.1
Response shows 500 Internal Server Error:
{"$id":"1","innerException":null,"message":"Account entitlement not found in the dictionary for source identity 'dffde1b5-5781-4c53-bbb2-5ff5792383dc'.","typeName":"Microsoft.VisualStudio.Services.Licensing.TransferUserLicenseException, Microsoft.VisualStudio.Services.WebApi","typeKey":"TransferUserLicenseException","errorCode":0,"eventId":3000}
Let me know if there is additional information from Fiddler that you need.
The issue was on Microsoft's end. Apparently there was duplicate orphaned user entries for a user that had been deleted 3 years ago from the VSTS account. They had to manually correct it. Thanks for your help.