You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: docs/pipelines/release/troubleshoot-workload-identity.md
+6-1
Original file line number
Diff line number
Diff line change
@@ -139,9 +139,14 @@ The following table identifies common error messages and issues that might gener
139
139
|**AADSTS700024: Client assertion is not within its valid time range**| If the error happens after approximately 1 hour, use a service connection with [Workload identity federation and a Managed Identity](configure-workload-identity.md#set-a-workload-identity-service-connection-to-use-managed-identity-authentication) instead. Managed Identity tokens have a [lifetime of around 24 hours](/entra/identity/managed-identities-azure-resources/managed-identities-faq#are-managed-identities-tokens-cached). <br/> If the error happens before 1 hour but after 10 minutes, move commands that (implicitly) request an access token to e.g. access Azure storage to the beginning of your script. The access token will be cached for subsequent commands. |
140
140
|**AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: `https://app.vstoken.visualstudio.com`.**| No federated credential was created or the issuer URL isn't correct. The correct issuer URL has the format `https://vstoken.dev.azure.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. You can fix the issuer URL by editing and then saving a service connection. If Azure DevOps didn't create your identity, you must manually update the issuer. You can find the correct issuer in the edit dialog of the service connection or in the response (under authorization parameters) if you use the REST API. |
141
141
|**AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: `https://vstoken.dev.azure.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. Assertion Subject: `sc://<org>/<project>/<service-connection>.`**| Either the issuer URL or the federation subject doesn't match. The Azure DevOps organization or project was renamed or a manually created service connection was renamed without updating the federation subject on the identity. |
142
-
|**AADSTS700211: No matching federated identity record found for presented assertion issuer**| No federated credential was created or either the issuer URL, the federation subject, or both are rejected by a Microsoft Entra policy. |
142
+
|**AADSTS700211: No matching federated identity record found for presented assertion issuer**| No federated credential was created or the issuer URL is not correct. |
143
+
|**AADSTS700213: No matching federated identity record found for presented assertion subject**| No federated credential was created or the subject is not correct. |
143
144
|**AADSTS700223**| Workload identity federation is constrained or disabled on the Microsoft Entra tenant. In this scenario, it may be possible to use a managed identity for the federation instead. For more information, see [Workload identity with managed identity](https://aka.ms/azdo-rm-workload-identity-manual). |
145
+
|**AADSTS70025: Client application has no configured federated identity credentials**| Make sure federated credentials are configured on the App registration or Managed Identity. |
144
146
|**Microsoft Entra rejected the token issued by Azure DevOps with error code AADSTS700238**| Workload identity federation has been constrained on the Microsoft Entra tenant. The issuer for your organization (`https://vstoken.dev.azure.com/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`) isn't allowed to use workload identity federation. Ask your Microsoft Entra tenant administrator or administration team to allow workload identity federation for your Azure DevOps organization. |
147
+
|**AADSTS900382: Confidential Client is not supported in Cross Cloud**| Some sovereign clouds block Workload identity federation. |
145
148
|**Failed to obtain the JSON Web Token (JWT) using service principal client ID**| Your federation identity credentials are misconfigured or the Microsoft Entra tenant blocks OpenID Connect (OIDC). |
146
149
|**Script failed with error: UnrecognizedArgumentError: unrecognized arguments: --federated-token**| You're using an AzureCLI task on an agent that has an earlier version of the Azure CLI installed. Workload identity federation requires Azure CLI 2.30 or later. |
147
150
|**Failed to create an app in Microsoft Entra ID. Error: Insufficient privileges to complete the operation in Microsoft Graph. Ensure that the user has permissions to create a Microsoft Entra Application.**| The ability to create app registrations was [disabled](/azure/active-directory/roles/delegate-app-roles#restrict-who-can-create-applications) in the Microsoft Entra tenant. Assign the user who is creating the service connection the [Application Developer](/azure/active-directory/roles/permissions-reference#application-developer) Microsoft Entra role. Alternatively, create the service connection manually by using a managed identity. For more information, see [Workload identity with managed identity](https://aka.ms/azdo-rm-workload-identity-manual). |
151
+
152
+
Is the AADSTS error you see not listed above? Check [Microsoft Entra authentication and authorization error codes](/entra/identity-platform/reference-error-codes#aadsts-error-codes).
0 commit comments