Azure DevOps unable to deploy to Azure Web App

AgitoM picture AgitoM · Oct 8, 2018 · Viewed 9.9k times · Source

Am currently trying to deploy an app from a Release Pipeline under Azure DevOps owned by Company A to an Azure App hosted on Azure owned by Company B.

Keep on getting this error when attempting to release stop the Azure App:

Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name 'AppName'. Error: Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request

Am at a loss on how to solve this.

What has been done so far:

  • Web App is created in Azure of Company B
  • User from DevOps Company A Account is added as Guest User in Company Azure AD
  • User has Contributor rights on the Web App
  • Managed Service Identity is set to "On" on Web App
  • The subscription of Company B and Web Apps can be seen and selected when setting up the release in Azure DevOps.

Am quite sure that more needs to be in order for the release deployment to work, but after an intensive search, I was not able to find anything.

Hope anyone here can advise.

Answer

AgitoM picture AgitoM · Oct 18, 2018

Managed to find the solution to the problem I encountered. ​ ​It was related to the access rights of the guest account on the Azure subscription.

​First of all "Managed Service Identity" was not related to this issue.

These are the steps that were followed to connect the Azure DevOps of Company A to the Azure of Company B:

  • ​Created Web App in Company B Azure
  • ​Azure DevOp's account from Company A, was added as a "Guest User" in the Azure of Company B
  • The DevOp's account is given Contributor rights on both the Azure Subscription, and the Web app.
  • ​In Company A's DevOps, add a "Azure Resource Manager". Choose the settings of Company B's Azure as "Service Principal Authentication"
  • Upon saving Azure Resource Manager, you will be prompted to login. You will need to login with the admin account of Company B's Azure.