Troubleshoot Azure Resource Manager service connections

VSTS | TFS 2018 | TFS 2017 | TFS 2015

Note

Build and release pipelines are called definitions in TFS 2018 and in older versions. Service connections are called service endpoints in TFS 2018 and in older versions.

This topic will help you resolve issues you may encounter when creating a connection to Microsoft Azure using an Azure Resource Manager service connection for your DevOps CI/CD processes.

What happens when you create a Resource Manager service connection?

You open the Add Azure Resource Manager srvice connection dialog, provide a connection name, and select a subscription from drop-down list of your subscriptions.

The Add Azure Resource Manager srvice connection dialog

When you choose OK, the system:

  1. Connects to the Azure Active Directory (AAD) tenant for to the selected subscription
  2. Creates an application in AAD on behalf of the user
  3. After the application has been successfully created, assigns the application as a contributor to the selected subscription
  4. Creates an Azure Resource Manager service connection using this application's details

How to troubleshoot errors that may occur

Errors that may occur when the system attempts to create the service connection include:

Insufficient privileges to complete the operation

This typically occurs when the system attempts to create an application in AAD on your behalf.

Insufficient privileges to complete the operation error

This is a permission issue that may be due to the following causes:

The user has only guest permission in the directory

The best approach to resolve this issue, while granting only the minimum additional permissions to the user, is to increase the Guest user permissions as follows:

  1. Sign into the Azure portal at https://portal.azure.com using an administrator account. The account should be an owner, global administrator, or user account administrator.

  2. Choose Azure Active Directory in the left navigation bar.

  3. Ensure you are editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and log in using the appropriate credentials if required.

  4. In the MANAGE section choose Users.

  5. Choose User settings.

  6. In the External users section, change Guest user permissions are limited to No.

Alternatively, if you are prepared to give the user additional (administrator-level) permissions, you can make the user a member of the Global administrator role as follows:

  1. Sign into the Azure portal at https://portal.azure.com using an administrator account. The account should be an owner, global administrator, or user account administrator.

  2. Choose Azure Active Directory in the left navigation bar.

  3. Ensure you are editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and log in using the appropriate credentials if required.

  4. In the MANAGE section choose Users.

  5. Use the search box to filter the list and then choose the user you want to manage.

  6. In the MANAGE section choose Directory role and change the role to Global administrator.

  7. Save the change.

It typically takes 15 to 20 minutes to apply the changes globally. After this period has elapsed, the user can retry creating the service connection.

The user is not authorized to add applications in the directory

You must have permission to add integrated applications in the directory. The directory administrator has permission to change this setting, as follows:

  1. Choose Azure Active Directory in the left navigation bar.

  2. Ensure you are editing the appropriate directory corresponding to the user subscription. If not, select Switch directory and log in using the appropriate credentials if required.

  3. In the MANAGE section choose Users.

  4. Choose User settings.

  5. In the App registrations section, change Users can register applications to Yes.

Failed to obtain an access token or A valid refresh token was not found

These errors typically occur when your session has expired.

Errors when the users session has expired

To resolve these issues:

  • Sign out of VSTS or TFS.
  • Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
  • If you are prompted to sign out, do so.
  • Sign in using the appropriate credentials.
  • Choose the organization you want to use from the list.
  • Select the project you want to add the service connection to.
  • Create the service connection you need by opening the Settings page, selecting the Services tab, choosing New service connection, and selecting Azure Resource Manager.

Failed to assign Contributor role

This error typically occurs when you do not have Write permission for the selected Azure subscription when the system attempts to assign the Contributor role.

Failed to assign Contributor role error

To resolve this issue, ask the subscription administrator to configure your identity in an Admin Access role.

Help and support