Introduction
Azure DevOps variable groups store shared values for pipelines, including secrets from Azure Key Vault. When variable groups fail to load, pipelines can't access configuration values, causing deployment failures.
Symptoms
Variable group not found:
##[error] Variable group 'my-variables' could not be found.Key Vault secret access denied:
# In pipeline logs:
##[error] Access denied. Caller does not have permission to perform action 'Microsoft.KeyVault/vaults/secrets/read' on resource.Variable resolution failed:
##[error] The value of the variable 'MY_SECRET' could not be found.Common Causes
- 1.Key Vault connection broken - Service principal lost access
- 2.Service principal expired - Credentials no longer valid
- 3.Secret not found - Secret deleted from Key Vault
- 4.Variable group deleted - Group removed from project
- 5.Permission not granted - Pipeline lacks access to variable group
- 6.Key Vault firewall - Network rules blocking access
- 7.Secret name mismatch - Variable name differs from secret name
Step-by-Step Fix
- 1.Check logs for specific error messages
- 2.Verify configuration settings
- 3.Test network connectivity
- 4.Review recent changes
- 5.Apply corrective action
- 6.Verify the fix
Step 1: Check Variable Group Status
```bash # List variable groups az pipelines variable-group list --project my-project
# Get specific group az pipelines variable-group show --group-id 123 --project my-project
# Via Azure DevOps UI: # Pipelines > Library > Variable groups ```
Step 2: Check Key Vault Connection
```bash # If variable group links to Key Vault # Pipelines > Library > [Variable Group] > Edit
# Check Key Vault settings: # - Azure subscription # - Key Vault name # - Service connection
# Verify Key Vault exists az keyvault show --name my-keyvault --resource-group my-rg ```
Step 3: Verify Service Principal Permissions
```bash # Get service principal for the service connection # Project Settings > Service connections > [Connection] > Manage
# Check Key Vault access policy az keyvault show --name my-keyvault --query 'properties.accessPolicies'
# Add access policy for service principal az keyvault set-policy \ --name my-keyvault \ --object-id "SP_OBJECT_ID" \ --secret-permissions get list
# Or use RBAC (recommended) az role assignment create \ --assignee "SP_OBJECT_ID" \ --role "Key Vault Secrets User" \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-keyvault ```
Step 4: Renew Service Principal Secret
```bash # If service principal secret expired az ad app credential reset --id "APP_ID" --append
# Update service connection # Project Settings > Service connections > [Connection] > Edit > Update secret > Verify and save ```
Step 5: Check Key Vault Firewall
```bash # Check Key Vault network rules az keyvault show --name my-keyvault --query 'properties.networkAcls'
# If default action is Deny, add allow rule for Azure DevOps # Option 1: Allow trusted services az keyvault update \ --name my-keyvault \ --bypass AzureServices
# Option 2: Allow specific IPs (Azure DevOps outbound IPs) # Get IPs from: https://dev.azure.com/ORG/_apis/public/ipaddresses az keyvault network-rule add \ --name my-keyvault \ --ip-address "IP_RANGE" ```
Step 6: Verify Secret Names
```bash # List secrets in Key Vault az keyvault secret list --vault-name my-keyvault -o table
# Check secret names match variable names # Azure DevOps expects exact name match (case-insensitive)
# Get secret value to verify it exists az keyvault secret show --vault-name my-keyvault --name "MY-SECRET" ```
Step 7: Check Variable Group Permissions
```bash # Check who can use variable group # Azure DevOps UI > Pipelines > Library > [Group] > Security
# Ensure pipeline build service has access: # - Reader (read variables) # - Contributor (edit variables)
# Via CLI: az devops security permission update \ --namespace-id "5fb6bca1-1d7d-4828-8661-2e6faeee9e2f" \ --subject "PROJECT\Build Service" \ --token "Library/Project/VariableGroupId/123" \ --allow-bit 1 # Read permission ```
Step 8: Recreate Variable Group
```bash # Delete and recreate variable group az pipelines variable-group delete --group-id 123 --project my-project --yes
# Create new variable group with Key Vault az pipelines variable-group create \ --name "my-variables" \ --project my-project \ --authorize true \ --key-vault-name "my-keyvault" \ --service-connection-id "CONNECTION_ID" \ --secrets "secret1,secret2,secret3" ```
Step 9: Use Inline Variables as Fallback
```yaml # azure-pipelines.yml # If variable group fails, use pipeline variables
variables: - group: my-variables # Primary - name: MY_SECRET value: $(fallbackSecret) # Fallback
steps: - script: | echo "Using secret value" env: SECRET_VALUE: $(MY_SECRET) ```
Step 10: Monitor Variable Group Access
```bash # Enable Key Vault logging az monitor diagnostic-settings create \ --name keyvault-logs \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-keyvault \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \ --logs '[{"category":"AuditEvent","enabled":true}]'
Variable Group Troubleshooting Checklist
| Check | Location | Fix |
|---|---|---|
| Variable group exists | Library | Recreate |
| Key Vault connection | Variable group edit | Reconfigure |
| Service principal secret | Azure AD | Renew |
| Key Vault access policy | Key Vault | Add policy |
| Network firewall | Key Vault | Allow Azure DevOps IPs |
| Secret names | Key Vault | Match variable names |
Verification
```bash # Test variable group access az pipelines variable-group show --group-id 123 --query 'variables'
# Run test pipeline # azure-pipelines.yml variables: - group: my-variables
steps: - script: | echo "Secret loaded: $(MY_SECRET)"
# Should show variable values loaded successfully ```
Related Issues
- [Fix Azure DevOps Service Connection Failed](/articles/fix-azure-devops-service-connection-failed)
- [Fix Azure DevOps Agent Pool Full](/articles/fix-azure-devops-agent-pool-full)
- [Fix Azure Key Vault Access Denied](/articles/fix-azure-key-vault-access-denied)
Related Articles
- [Technical troubleshooting: Fix Cicd Artifact Upload Failed Storage Issue in C](cicd-artifact-upload-failed-storage)
- [Technical troubleshooting: Fix Cicd Code Quality Gate Failed Sonarqube Issue ](cicd-code-quality-gate-failed-sonarqube)
- [Technical troubleshooting: Fix Cicd Deployment Failed Health Check Issue in C](cicd-deployment-failed-health-check)
- [Technical troubleshooting: Fix Cicd Github Actions Workflow Queue Timeout in ](cicd-github-actions-workflow-queue-timeout)
- [Technical troubleshooting: Fix Cicd Gitlab Runner Stuck Pending Issue in CI/C](cicd-gitlab-runner-stuck-pending)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure DevOps Variable Group Not Loading", "description": "Troubleshoot Azure DevOps variable group loading failures. Fix Key Vault connections and service principal permissions.", "url": "https://www.fixwikihub.com/fix-azure-devops-variable-group-not-loading", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-02T18:22:14.806Z", "dateModified": "2026-04-02T18:22:14.806Z" } </script>