Introduction
Azure DevOps service connections authenticate pipelines to external services like Azure, GitHub, and Docker. When connections fail, pipelines can't deploy or access external resources, blocking releases.
Symptoms
Service connection authentication failed:
##[error] Service connection 'my-azure-connection' could not be found or is not authorized for use.
##[error] Failed to obtain access token for service connection 'my-azure-connection'.Service principal expired:
# In pipeline logs:
##[error] AADSTS7000222: The provided client secret keys for app 'xxx-xxx-xxx' are expired.Permission denied:
##[error] The client 'xxx-xxx-xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/xxx'.Common Causes
- 1.Service principal expired - Client secret exceeded validity period
- 2.Permissions missing - Service principal lacks Azure RBAC permissions
- 3.Service connection deleted - Connection removed from project
- 4.Certificate expired - Certificate-based authentication expired
- 5.Tenant changes - Subscription moved to different tenant
- 6.Workload identity issues - Federated credentials misconfigured
- 7.Connection scope wrong - Missing scope for required operations
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: List Service Connections
```bash # List all service connections in project az devops service-endpoint list --project my-project
# Get specific connection az devops service-endpoint show --id CONNECTION_ID
# Via Azure DevOps UI: # Project Settings > Service connections ```
Step 2: Check Service Principal Status
```bash # Get the service principal from connection # Project Settings > Service connections > [Connection] > Manage
# Check service principal in Azure AD az ad sp show --id "APP_ID_FROM_CONNECTION"
# Check if secret is expired az ad app credential list --id "APP_ID" --query "[?endDateTime < now()]" ```
Step 3: Renew Client Secret
```bash # Create new client secret az ad app credential reset --id "APP_ID" --append
# Or create specific secret az ad app credential reset --id "APP_ID" \ --years 2 \ --display-name "ADO-Connection-Secret"
# Update service connection with new secret # Azure DevOps UI > Service connections > [Connection] > Edit > Verify and save ```
Step 4: Check RBAC Permissions
```bash # Get service principal object ID SP_OBJECT_ID=$(az ad sp show --id "APP_ID" --query id -o tsv)
# Check role assignments az role assignment list --assignee $SP_OBJECT_ID
# Required permissions for Azure deployments: # - Contributor (for resource management) # - User Access Administrator (for RBAC assignments) # - Azure Service Bus Data Owner (for Service Bus)
# Add missing permission az role assignment create \ --assignee $SP_OBJECT_ID \ --role Contributor \ --scope /subscriptions/SUB_ID/resourceGroups/my-rg ```
Step 5: Update Service Connection
```bash # Via Azure DevOps UI: # 1. Project Settings > Service connections > [Connection] # 2. Click "Edit" # 3. Update client secret # 4. Click "Verify and save"
# Or recreate connection az devops service-endpoint azurerm create \ --name "my-azure-connection" \ --azure-rm-service-principal-id "APP_ID" \ --azure-rm-subscription-id "SUB_ID" \ --azure-rm-subscription-name "Subscription Name" \ --azure-rm-tenant-id "TENANT_ID" ```
Step 6: Use Workload Identity Federation
```bash # Create workload identity federation (recommended over secrets) # 1. Create managed identity or use existing # 2. Configure federated credentials
# Create federated credential az ad app federated-credential create \ --id "APP_ID" \ --parameters '{ "name": "ado-federation", "issuer": "https://vstoken.dev.azure.com/TENANT_ID", "subject": "sc://ADO_ORG/ADO_PROJECT/CONNECTION_NAME", "audiences": ["api://AzureADTokenExchange"] }'
# Update service connection to use workload identity # Azure DevOps UI > Service connections > [Connection] > Edit # Select "Workload Identity Federation" ```
Step 7: Test Service Connection
```bash # Test connection via Azure DevOps UI # Project Settings > Service connections > [Connection] > Test connection
# Test via pipeline # azure-pipelines.yml - task: AzureCLI@2 inputs: azureSubscription: 'my-azure-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | az account show az group list ```
Step 8: Fix Scope Issues
```yaml # Ensure service connection has correct scope # For resource group scope: - task: AzureWebApp@1 inputs: azureSubscription: 'my-connection' # Must have RG access appType: 'webAppLinux' resourceName: 'my-app'
# For subscription scope: - task: AzureResourceManagerTemplateDeployment@3 inputs: deploymentScope: 'Subscription' # Connection needs subscription access azureResourceManagerConnection: 'my-connection' ```
Step 9: Check for Multi-Tenant Issues
```bash # If subscription moved to different tenant # Service principal must be recreated in new tenant
# Check tenant az account show --query '{TenantId:tenantId,SubscriptionId:id}'
# Create service principal in correct tenant az ad sp create-for-rbac \ --name "my-ado-service-principal" \ --role Contributor \ --scopes /subscriptions/SUB_ID
# Update connection with new credentials ```
Step 10: Monitor Service Connection Health
```bash # Create scheduled pipeline to test connections # azure-pipelines.yml schedules: - cron: "0 0 * * *" # Daily at midnight branches: include: - main
steps: - task: AzureCLI@2 inputs: azureSubscription: 'my-connection' scriptType: 'bash' scriptLocation: 'inlineScript' inlineScript: | echo "Connection test successful" az account show
- task: SendEmail@1 # Alert on failure
- condition: failed()
- inputs:
- To: 'team@example.com'
- Subject: 'Service connection test failed'
`
Service Connection Types Reference
| Type | Auth Method | Renewal |
|---|---|---|
| Azure Resource Manager | Service Principal | Secret: 2 years max |
| Azure Resource Manager | Workload Identity | Auto-managed |
| GitHub | Personal Access Token | Manual |
| Docker Registry | Username/Password | Manual |
| Kubernetes | Service Account | Manual |
Verification
```bash # Test service connection az devops service-endpoint show --id CONNECTION_ID --query 'isReady'
# Should return true
# Run test pipeline az pipelines run --name test-deployment --branch main
# Check pipeline logs for successful authentication az pipelines runs show --run-id 123 --query 'result'
# Should show "succeeded" ```
Related Issues
- [Fix Azure DevOps Agent Pool Full](/articles/fix-azure-devops-agent-pool-full)
- [Fix Azure DevOps Check Failed](/articles/fix-azure-devops-check-failed)
- [Fix Azure DevOps Variable Group Not Loading](/articles/fix-azure-devops-variable-group-not-loading)
Related Articles
- [Technical troubleshooting: Fix Cicd Artifact Upload Failed Storage Issue in C](cicd-artifact-upload-failed-storage)
- [Technical troubleshooting: Fix Cicd Code Quality Gate Failed Sonarqube Issue ](cicd-code-quality-gate-failed-sonarqube)
- [Technical troubleshooting: Fix Cicd Deployment Failed Health Check Issue in C](cicd-deployment-failed-health-check)
- [Technical troubleshooting: Fix Cicd Github Actions Workflow Queue Timeout in ](cicd-github-actions-workflow-queue-timeout)
- [Technical troubleshooting: Fix Cicd Gitlab Runner Stuck Pending Issue in CI/C](cicd-gitlab-runner-stuck-pending)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure DevOps Service Connection Failed", "description": "Troubleshoot Azure DevOps service connection failures. Fix service principals, permissions, and connection settings.", "url": "https://www.fixwikihub.com/fix-azure-devops-service-connection-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-02T19:45:56.382Z", "dateModified": "2026-04-02T19:45:56.382Z" } </script>