Share via

I am having a authentication problems with a release pipeline

George Kallarackal 0 Reputation points
2025-02-19T13:07:51.4866667+00:00

Note tagged on blob storage because there is no tag for Azure Devops!

We are experiencing authentication failures in our Azure DevOps Release Pipeline when using a service principal for deployment. Despite verifying that the service principal exists, has the correct permissions, and successfully authenticates via az login, the release pipeline continues to fail authentication.

The release pipeline is called Data Store Backup test. It is trying to copy a backup file to Azure Blob Storage.

The error is
ClientSecretCredential authentication failed:

Could not find tenant id for provided tenant domain '3942511a-e43a-4a6c-9195-5ec41d5eb557'.

Please ensure that the provided service principal is found in the provided tenant domain.

Steps Taken to Troubleshoot:

  1. Verified the Service Principal Exists

• Ran: az ad sp show --id "1e928d73-d7ee-48a6-8260-e25bd3ec287a"

• Confirmed it exists in tenant 3942511a-e43a-4a6c-9195-5ec41d5eb557.

  1. Checked Tenant and Subscription Details

• Ran: az account show --query tenantId --output tsv

• Confirmed the correct tenant is being used.

  1. Validated the Service Principal Credentials

• Verified the client secret 

Azure DevOps

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suresh Chikkam 235 Reputation points Microsoft External Staff
    2025-03-07T09:51:37.01+00:00

    Hi @George Kallarackal ,

    One thing to check is whether the service principal has the right permissions to access the storage account. If it's supposed to interact with Blob Storage, it should have the Storage Blob Data Contributor role.

    az role assignment list --assignee "1e928d73-d7ee-48a6-8260-e25bd3ec287a"

    If it turns out that the role isn't assigned, you may need to add it manually using this command.

    az role assignment create --assignee "1e928d73-d7ee-48a6-8260-e25bd3ec287a" --role "Storage Blob Data Contributor" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

    Another possibility is that the pipeline might be using the wrong Azure environment, especially if your organization has multiple tenants or is dealing with cross-tenant deployments. It might be worth double-checking that the authentication request is actually happening against the right directory.

    If you're using a service connection in Azure DevOps, it’s a good idea to open the project settings, go to the service connections section, and check if the connection is configured correctly. You might also try re-authenticating the service connection just to rule out any misconfiguration.

    In case your pipeline is using a managed identity instead of a service principal, you’ll want to ensure that the identity has the necessary role assignments and that it’s correctly linked to the pipeline agent.

    One more thing you could try is adding a login step inside your pipeline script before running the storage operation.

    az login --service-principal -u "1e928d73-d7ee-48a6-8260-e25bd3ec287a" -p "<client-secret>" --tenant "3942511a-e43a-4a6c-9195-5ec41d5eb557"

az account show

    If this works fine locally but fails in the pipeline, then the issue might be related to how the service principal is being used within Azure DevOps.

    Hope it helps!

    Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.
    User's image

    If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.