I have a Service Connection which is being used for Pipelines in Azure DevOps. It was created by another user some time ago. Recently it expired and would not allow me to change the username it was associated with. So I deleted that Service Connection and created a new one, and it took me a lot of time to modify each Pipeline where it was being used.
I have two questions.
Is it possible to change the creator name of the Service Connection?
If not, is there any other way to reuse an existing Service Connection after its secret expires?
Thanks in advance.
I just got stuck in the same position trying to manually update the connection with a new client secret. Here's what worked for me:
From the DevOps Service Connection | Click Manage Service Principal
Then on the service principal | Certificates & Secrets
Create a "New Client Secret"
Delete the expired secret
Return to the DevOps Service Connection
Click Edit - click the verify button. It should tell you the client certificate has expired
Now you need to make a meaningless change and save it. I just type a character in to the optional description and save.
Now edit again and click verify, it will now pick up the new client secret and all is happy. Just go delete the meaningless character you typed into the description and click save.
Defining service connection you can pick a name what you want. So in your case you can reuse old name to minimize your work.
If you ahve already define service connection you can change a name using REST API:
PUT https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints/{endpointId}?api-version=5.1-preview.2
You can also edit it from the poertal:
and then:
Assuming you are using automatic authentication method. Automatic configured service connection does't allow updating the connection name or other information. You could try manual authentication method or Managed identity.
I had a similar issue that I couldn't edit an Azure RM Service Connection that had an expired client credential. However, turning off "New service connections experience" in the Preview features blade made it possible to update using the old service connection dialog.
Related
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
startVM design
startVM parameters
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
startVM connections
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/deploy#enable-multiple-subscriptions
I am trying to publish a project from Visual Studio 2019 (fully updated) to azure. But when I try to login I get the message:
Your account is at risk
To help you—and only you—get back into . I verify my account by sms message and enter the old and new email address. But then again when I try to login it again wants me to verify.
At the same time, the email works when I go into Azure portal and I also managed to deply a Microsoft SQL database into Azure SQL. (Though initially I had to add the IP address in the firewall on Azure). Also I updated the location of the user to Thailand (Where I am), in case the system matches the IP address to the location.
OTher things I have in place are for example the resource group. And I also tried to create an app in Azure portal and then publish it to this, but the issue is that I can't login from Visual Studio.
Any suggestions on how I can publish a project to Azure?
------- UPDATE --------------
Still in the loop of login, verify, new password and login again. The screen I get is like this:
The following screens are:
enter code send by sms
Enter old and new password
Login
-. And back at the verify screen again.
Any suggestions.
Based on the suggestion below I also removed some of the credentials in the credential manager (those that I thought might have to do with this issue).
One possiblity is that there is an old version of your password stored in Credential Manager.
When you try to login via Visual Studio it fails because the password is incorrect. Trying to login with the incorrect password also causes the account to lock, requiring you to verify with SMS.
If this is an Azure WebApp, your best bet is to download the publish profile and use it in your Visual Studio, this way you'll be able to publish your app.
I am trying to build a logic app to email results of a devops query on a regular basis. When I use the 'Get query results' block in logic apps, I am unable to authenticate with my primary email address. Instead Logic Apps keeps picking up my alias email address when I try to change connection. No sign in screen is displayed so I assume my credentials are cached somewhere.
Any ideas on how I can change the account I use to login with?
Update
Trying to add a new connector using 'add new'
No option to sign in. Defaults to .uk account rather than using .co.uk account that I am signed into through Azure.
Under API Connections you can find any connections the Logic App is using. Click a connection to be able to edit or delete it.
EDIT:
If you would like to use another email address instead of the current one, delete the connection and create a new one from the Logic Apps designer.
I have purchased an SSL cert for my site and the cert has three steps you need to do in order to have it fully configured. The first step is "Key Vault Status" which I then click on and it shows the following error:
You do not have permission to get the service prinicipal information needed to assign a Key Vault to your certificate. Please login with an account which is either the owner of the subscription or an admin of the Active Directory to configure Key Vault settings.
This is very confusing because I am the owner of this subscription and I also went and created a new Key Vault just in case it was due to not having one created in the first place. In addition I checked the Access Control for this cert and I am also listed as Owner.
Any help is appreciated.
Ok, so I finally got to the bottom of it - I'll outline the story here as this was the solution but may not work for everyone.
When I first created my Azure account I did so under email address 1
A few years later I had migrated most of my email to email address 2. To get status updates and other things I transferred the subscription to email address 2.
Every other service has worked fine accept for this SSL issue as well as not being able to buy a support plan (it popped open an email app to send to email address 1)
In speaking with the AzureSupport twitter account they agreed that it was strange and arranged for a one time ticket for support.
The support agent asked me to check my Access Policies for the Key Vault I had created. This showed that email 1 is indeed a user in the Azure Active Direction and they mentioned that I'd need to have the admin add it. Since I had noticed the irregularities with email address 1 showing up in the URL and in the email for adding support I logged into Azure using email address 1 and went to Azure Active Directory->Users under that account.
I then selected the guest account, selected Directory Role, and added a new role of Application Administrator. Now all of it is working as expected!
My subscription was attached to employer Active Directory and I can't change my role in it.
I solve this problem by creating my own Active Directory and by moving subscription to this AD.
I created a linked service in data factory using keyvault option about some months ago. I wanted to create a new linked service some days ago and I understood the UI for linked service creation has been changed!
Previously based on this article https://learn.microsoft.com/en-us/azure/data-factory/store-credentials-in-key-vault#azure-key-vault-linked-service there were two option 1. connection string (needed DB name, server name and username and password for DB)2.KeyVault(Just needed secret name and keyvault connection).
While now those two options has been changed to 1.password 2. Keyvault. and the weird part is that in both two options DB name, username and password are mandatory! which is not acceptable because the point of using keyvault is not to share DB properties with developers and just sharing the secret name.
Does someone have any opinion about it??
You can edit the json code of linked service to make it reference connection string.
Here's the format, then click finish button, it will be published.
Yes. It has been changed. Now you only need put your password into your azure Keyvault.
You old linked service will still work. But the new UI will only support password only azure Keyvault.