I'm trying to add a release to VSTS. Our VSTS is backed by Azure AD and I have logged in with the account that is the admin of the Azure subscription to which I want to deploy the release. I can see the Azure subscription in the dropdown but when I click Authorize I get the following error popup.
The reason is that the authentication pop-up window has been blocked, turn pop-up blocker off or change another browser and try again.
Change security and privacy settings for Internet Explorer 11
On the other hand, you also can manual configure the azure service endpoint, refer to this article below (manual configuration section)
Automating Azure Resource Group deployment using a Service Principal in Visual Studio Online: Build/Release Management
Related
I am able to create a new Azure App Service on my Azure subscription from VS code. If I then try to deploy my python web application to the App Service that I just created I get a "401 - Unauthorized: Access" error. If I logon to the Azure portal I can view my newly created App Service. I can see on the Access Control page that I am listed as a contributor. I am not sure why I can not deploy my code or view files. Does anyone have suggestions as to security settings to check? I need to be able to deploy my code. Thank you.
#Kachopsticks, Apologies! If my response is to too late. To benefit the community, sharing the steps that could help isolate such issues:
There is a way to disable basic auth access to the WebDeploy port and SCM site with basicPublishingCredentialsPolicies, see if this is the case.
basicPublishingCredentialsPolicies --parent sites/ --set properties.allow=false
https://learn.microsoft.com/azure/app-service/deploy-configure-credentials?tabs=cli#webdeploy-and-scm
You could re-download the publish profile from Azure portal, and import publish settings in Visual Studio for deployment.
In the Azure portal, open the Azure App Service.
Go to Get publish profile and save the profile locally.
A file with a .publishsettings file extension has been generated in the location where you saved it and you may import that in VS and then attempt to re-deploy.
Additionally, Azure App Service supports two types of credentials for local-Git and FTP/S deployment:
User-level credentials one set of credentials for the entire Azure account.
App-level credentials (one set of credentials for each app. It can be used to deploy to that app only) -. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.
I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
Failed to obtain an access token typically occur when your session has expired.
To resolve these issues:
Sign out of Azure Pipelines or TFS.
Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
If you are prompted to sign out, do so.
Sign in using the appropriate credentials.
Choose the organization you want to use from the list.
Select the project you want to add the service connection to.
Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.
Refer to:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired
In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.
In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.
I didn't have to create another user, nor modify anything with MFA.
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps
GetUserAccessToken: Failed to obtain an access token of identity
{{GUID}}. AAD returned silent failure.
Fix for me was adding my account as a Project Collection Admin in DevOps... details below:
Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.
Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).
I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!
Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html
I have an ASP.NET MVC application and want to deploy it to Azure cloud service.
I have added Azure cloud service deployment task and trying to configure the subscription details using "New button". There are two fields which ask for user name and password. So I entered my credentials that I use to login to portal.azure.com. But I get an error during release process. Can you please help if I am missing anything?
2018-02-14T22:43:28.0976940Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\AzureRM.Profile\2.1.0\AzureRM.Profile.psm1 -Global
2018-02-14T22:43:28.1499971Z ##[command]Add-AzureAccount -Credential System.Management.Automation.PSCredential
2018-02-14T22:43:31.8827701Z ##[error]AADSTS50079: The user is required to use multi-factor authentication.
The Azure classic portal has been retired, so you need to use the new portal and add Azure Resource Manager (Azure RM) service endpoint).
The simple way to add Azure RM service endpoint:
Create a new build definition
Add Azure App Service Deploy task, select the item in Available Azure subscription
Click Authorize button
After that, it will add related service endpoint to your team project.
Another way is that, you can refer to this blog to add service endpoint:
Connect your Azure subscriptions to VSTS in 3 clicks
You can create a set of deployment credentials that's different from your microsoft account's credentials.
Everything is pretty well explained here:
When you log into Microsoft Azure you are logging in with a Microsoft Account. This account lets you add, modify, and remove
resources within your Azure subscription. Some Azure resources such
as Websites and Mobile Services require a separate deployment
credential to publish code. This separate deployment credential can
be confusing and I wanted to document a few key points:
The username you choose for the deployment credential must be unique
across all Azure subscribers.
The deployment credential you create is
tied to your Microsoft account and is the same credential for all
Azure resources which require a deployment credential.
You do not
want to share your deployment credential. Again, this credential has
access to publish code to all Websites and Mobile Services that your
Microsoft account can administer
We have a Visual Studio Team Services instance that is used by the company I work for.
The company has an Azure instance. As far as I am aware there is no connection to VSTS.
When I was added to VSTS as a Visual Studio Pro level user some months ago we had to use my Microsoft Account as we couldn't use my work identity because my MSDN subscription is linked to my Microsoft Account as we could not link it to my work identity; apparently this was because we use Office365 in the office.
We now have problems adding Basic Users to VSTS. I enter the users Microsoft Account identity and I am told "No Identities Found".
I looked at VSTS Settings where I can see "This account is backed by the Default Directory Azure Active Directory."
I can also see an "Azure Subscription ID". When I follow the Subscription ID link I end up at my Microsoft Account Azure instance.
I had other users log in to VSTS and they too are seeing my Azure Subscription ID in VSTS Settings.
Why is this happening?
How do Azure instances/accounts relate to VSTS instances/accounts
Can I break the link between Azure and VSTS
You can link your VSTS account to the azure from your azure portal:
Azure - VSTS service
Then, what we do is to add the users to the Azure active directories. As far as I know, these users must be registered in Microsoft.
Once it's done, you can add the users to the VSTS.
Hope it helps you.
The Team Services uses an Azure subscription to bill purchases and can control access with Azure AD.
You can unlink your VSTS account from Azure portal. More information, you can refer to this article: Delete or recover Visual Studio Team Services account
I am an idiot.
Turns out the company VSTS was linking to the company Azure.
I became confused when clicking the Manage button in VSTS | Azure Subscription ID.
That took me to the Sign in to Azure page and displayed my login, which takes me my Azure.
It was only when we checked the Azure Subscription ID in VSTS against my Azure Subscription ID that it became apparent I was following a red herring. The ID matched the companies Azure ID. So I can use that to add users and subsequently add them to VSTS.
I am having an issue while deploying an Azure web role to a cloud service. It shows me the error
Cloud services are not available in this subscription.
I am using a pay as you go subscription on Azure. I don't know if there is any limitation with this subscription for cloud service deployment or not.
.
Updated version of JerryGoyal's solution.
Cloud Service Management will have to be done using the new Azure Portal, because Cloud Service Management in the old portal will be disabled as of 11/15/2017.
Log into the new Azure Portal.
Go to the Subscriptions View.
Set your account as a Co-Admin. Microsoft Documentation.
I think the issue you're running into is that the Cloud Service Publish Wizard in VS only supports subscriptions in which you are an admin or co-admin granted via via the old portal (manage.windowsazure.com). If you've been given access via RBAC or the new portal, then VS will not see the resources under those subscriptions.
To work around it, you can build the package using msbuild.exe and then upload it via the portal.
That help?
Cloud services are not available in this subscription
The error is caused because the Cloud Services still use the old deployment model that is based on Azure Service Management (ASM).
To deploy an ASM based component to Azure you need to be ‘co-admin’ for the subscription.
Right now you are ‘Owner’ on the new portal but this role only has impact on the new ARM based resources.
So, just ask your subscription admin to login to the old portal (https://manage.windowsazure.com) and make you co-administrator:
Login to the old portal
Click on Settings –> Administrators
Click on the Add button at the bottom
Enter the co-admin email address and click on the OK button.
After this reload your Visual Studio and the problem will be solved.