Azure DevOps unable to deploy to Azure Web App

13
votes

Am currently trying to deploy an app from a Release Pipeline under Azure DevOps owned by Company A to an Azure App hosted on Azure owned by Company B.

Keep on getting this error when attempting to release stop the Azure App:

Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'AppName'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request

Am at a loss on how to solve this.

What has been done so far:

  • Web App is created in Azure of Company B
  • User from DevOps Company A Account is added as Guest User in Company Azure AD
  • User has Contributor rights on the Web App
  • Managed Service Identity is set to "On" on Web App
  • The subscription of Company B and Web Apps can be seen and selected when setting up the release in Azure DevOps.

Am quite sure that more needs to be in order for the release deployment to work, but after an intensive search, I was not able to find anything.

Hope anyone here can advise.

2
azureazure-devopsazure-web-app-serviceazure-pipelines-release-pipeline

2 Answers

8
votes

Managed to find the solution to the problem I encountered. ​ ​It was related to the access rights of the guest account on the Azure subscription.

​First of all "Managed Service Identity" was not related to this issue.

These are the steps that were followed to connect the Azure DevOps of Company A to the Azure of Company B:

  • ​Created Web App in Company B Azure
  • ​Azure DevOp's account from Company A, was added as a "Guest User" in the Azure of Company B
  • The DevOp's account is given Contributor rights on both the Azure Subscription, and the Web app.
  • ​In Company A's DevOps, add a "Azure Resource Manager". Choose the settings of Company B's Azure as "Service Principal Authentication"
  • Upon saving Azure Resource Manager, you will be prompted to login. You will need to login with the admin account of Company B's Azure.
0
votes

I had this problem, and it was an MSI issue but not resolved by creating a VM as is suggested elsewhere on the internet. In my case, I had reset the MSI ID of the app service, which broke the service connection in DevOps (though DevOps didn't tell me this -_-).

It was resolved by removing and re-adding the service connection in DevOps, and re-selecting it in the release pipeline settings.