Using Managed Identity in Azure Pipelines: GetUserAccessToken: Failed to obtain an access token of identity. AAD returned silent failure

In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.

In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.

I didn't have to create another user, nor modify anything with MFA.

Failed to obtain an access token typically occur when your session has expired.

To resolve these issues:

1. Sign out of Azure Pipelines or TFS.
2. Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
3. If you are prompted to sign out, do so.
4. Sign in using the appropriate credentials.
5. Choose the organization you want to use from the list.
6. Select the project you want to add the service connection to.
7. Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.

Refer to:

https://docs.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired

It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.

In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:

I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:

My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps

GetUserAccessToken: Failed to obtain an access token of identity {{GUID}}. AAD returned silent failure.

Fix for me was adding my account as a Project Collection Admin in DevOps... details below:

Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.

Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).

I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!

Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html