Workload Identity Federation -Azure Synapse Release pipeline Fails with Error

Question

Workload Identity Federation -Azure Synapse Release pipeline Fails with Error

Prabhu 65

We;re creating a release pipeline for Azure Synapse using

WIF for automatic connection and everything works fine ( Verified Permissions on the SPN) however when running the release pipeline Getting this error .

025-06-13T11:42:41.3876045Z An error occurred during execution: Error: Get workspace location error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired. For more information refer https://aka.ms/azureappservicedeploytsg
2025-06-13T11:42:41.3903578Z ##[error]Encountered with exception:Error: Get workspace location error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired. For more information refer https://aka.ms/azureappservicedeploytsg

Bodapati Harish 825 Reputation points Microsoft External Staff Moderator

2025-06-13T13:24:26.1233333+00:00

Hello Prabhu,

In Azure DevOps, when you move your Synapse release pipeline to Workload Identity Federation, you must have a valid federated credential in Azure AD so DevOps can exchange its token for an ARM access token. To set this up, open the service principal in the Azure Portal, navigate to Certificates & secrets, and verify there is a federated credential with issuer https://vstoken.azure.com and audience matching exactly the Service Principal Endpoint GUID shown in your DevOps identity provider settings. If that credential is missing or the audience doesn’t match, create a new federated credential with those exact values. Next, go back to Project Settings > Service connections in Azure DevOps, edit your Synapse service connection, choose Workload Identity Federation as the authentication method, and select the same subscription and service principal you just configured. Saving will bind DevOps and Azure AD correctly and if you pre-created the credential, DevOps will validate it; otherwise, it will generate it for you automatically. Finally, ensure your deployment task (for example AzureCLI@2 or AzureLogin@v1) is pointed at that federated connection. With this configuration in place, your pipeline will present a valid federated token, receive a proper ARM access token, and your Synapse release will complete without the “Could not fetch access token” error. If you have any further questions, please reply back.
Prabhu 65 Reputation points

2025-06-13T14:00:22.3666667+00:00

Hi Harish,

Thanks, do you have any MS article to follow.

I've tried Automatic registration, Manual and Managed Identity however all throwing same results.
Bodapati Harish 825 Reputation points Microsoft External Staff Moderator

2025-06-13T16:35:09.76+00:00

Hi Prabhu, you can follow the official Microsoft documentation step by step to get your Workload Identity Federation working end to end. Start with the Set a Resource Manager workload identity service connection article (https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops), which explains both the automatic and manual methods for setting up a federated credential in Azure AD with issuer https://vstoken.azure.com and the exact Service Principal Endpoint GUID as the audience. It also shows how to grant the right role assignments and save your DevOps service connection so that it can successfully mint ARM tokens. If you still run into the “Could not fetch access token” error after following those steps, the Troubleshoot workload identity service connections article (https://learn.microsoft.com/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops) will help you verify that federation is enabled for your tenant, confirm that your issuer URL and audience values match exactly, and identify any tenant-level restrictions that might be blocking the token exchange. Working through these two guides in order should resolve the token-fetch issue in your Synapse release pipeline.
SrideviM 5,730 Reputation points Microsoft External Staff Moderator

2025-06-16T01:20:08.6766667+00:00

Hello Prabhu,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Prabhu 65 Reputation points

2025-06-16T03:29:10.77+00:00

No , none of the MS articles helped to fix this particular issue.
SrideviM 5,730 Reputation points Microsoft External Staff Moderator

2025-06-16T04:05:27.79+00:00

Hello Prabhu,

Could you share more details like images of your pipeline YAML for the Synapse deployment step, the code snippet you’re using (AzureCLI@2 or AzurePowerShell task), and screenshots of the full error message you’re seeing?
Prabhu 65 Reputation points

2025-06-16T04:50:00.6333333+00:00

This is the error message

We use Azure Synapse deployment not Azure CLI
Prabhu 65 Reputation points

2025-06-16T04:55:47.6866667+00:00

How do i proceed If i have to use Azure CLI 2 based deployment
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-18T08:07:20.7433333+00:00

Hello Prabhu, following up on this. Hope I was able to clear your query here. Thanks
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T04:09:07.02+00:00

Following up on this Prabhu, hope I was able to resolve your query here. Thanks
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T08:40:43.2633333+00:00

Hello Prabhu, Glad that your query is resolved now. Kindly do not forget to mark the answer as accepted and upvote this answer as helpful, which may help members with similar questions in the community. Thanks

1 answer

Your answer

Bodapati Harish 825 Reputation points Microsoft External Staff Moderator

2025-06-13T13:24:26.1233333+00:00

Hello Prabhu,

In Azure DevOps, when you move your Synapse release pipeline to Workload Identity Federation, you must have a valid federated credential in Azure AD so DevOps can exchange its token for an ARM access token. To set this up, open the service principal in the Azure Portal, navigate to Certificates & secrets, and verify there is a federated credential with issuer https://vstoken.azure.com and audience matching exactly the Service Principal Endpoint GUID shown in your DevOps identity provider settings. If that credential is missing or the audience doesn’t match, create a new federated credential with those exact values. Next, go back to Project Settings > Service connections in Azure DevOps, edit your Synapse service connection, choose Workload Identity Federation as the authentication method, and select the same subscription and service principal you just configured. Saving will bind DevOps and Azure AD correctly and if you pre-created the credential, DevOps will validate it; otherwise, it will generate it for you automatically. Finally, ensure your deployment task (for example AzureCLI@2 or AzureLogin@v1) is pointed at that federated connection. With this configuration in place, your pipeline will present a valid federated token, receive a proper ARM access token, and your Synapse release will complete without the “Could not fetch access token” error. If you have any further questions, please reply back.
Prabhu 65 Reputation points

2025-06-13T14:00:22.3666667+00:00

Hi Harish,

Thanks, do you have any MS article to follow.

I've tried Automatic registration, Manual and Managed Identity however all throwing same results.
Bodapati Harish 825 Reputation points Microsoft External Staff Moderator

2025-06-13T16:35:09.76+00:00

Hi Prabhu, you can follow the official Microsoft documentation step by step to get your Workload Identity Federation working end to end. Start with the Set a Resource Manager workload identity service connection article (https://learn.microsoft.com/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops), which explains both the automatic and manual methods for setting up a federated credential in Azure AD with issuer https://vstoken.azure.com and the exact Service Principal Endpoint GUID as the audience. It also shows how to grant the right role assignments and save your DevOps service connection so that it can successfully mint ARM tokens. If you still run into the “Could not fetch access token” error after following those steps, the Troubleshoot workload identity service connections article (https://learn.microsoft.com/azure/devops/pipelines/release/troubleshoot-workload-identity?view=azure-devops) will help you verify that federation is enabled for your tenant, confirm that your issuer URL and audience values match exactly, and identify any tenant-level restrictions that might be blocking the token exchange. Working through these two guides in order should resolve the token-fetch issue in your Synapse release pipeline.
SrideviM 5,730 Reputation points Microsoft External Staff Moderator

2025-06-16T01:20:08.6766667+00:00

Hello Prabhu,

Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back
Prabhu 65 Reputation points

2025-06-16T03:29:10.77+00:00

No , none of the MS articles helped to fix this particular issue.
SrideviM 5,730 Reputation points Microsoft External Staff Moderator

2025-06-16T04:05:27.79+00:00

Hello Prabhu,

Could you share more details like images of your pipeline YAML for the Synapse deployment step, the code snippet you’re using (AzureCLI@2 or AzurePowerShell task), and screenshots of the full error message you’re seeing?
Prabhu 65 Reputation points

2025-06-16T04:50:00.6333333+00:00

This is the error message

We use Azure Synapse deployment not Azure CLI
Prabhu 65 Reputation points

2025-06-16T04:55:47.6866667+00:00

How do i proceed If i have to use Azure CLI 2 based deployment
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-18T08:07:20.7433333+00:00

Hello Prabhu, following up on this. Hope I was able to clear your query here. Thanks
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T04:09:07.02+00:00

Following up on this Prabhu, hope I was able to resolve your query here. Thanks
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T08:40:43.2633333+00:00

Hello Prabhu, Glad that your query is resolved now. Kindly do not forget to mark the answer as accepted and upvote this answer as helpful, which may help members with similar questions in the community. Thanks

Answer 1

ArkoSen-6842 4,165 Moderator

Hello Prabhu,

The root cause of your issue is that the Azure Synapse deployment task does not currently support Workload Identity Federation authentication. Even though your service connection is configured with WIF correctly and the Service Principal has valid federated credentials, the underlying deployment task attempts to retrieve an access token using the legacy ServicePrincipal credential flow, which fails in WIF-based contexts with the error

Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.

To resolve this issue, you should switch from the Synapse GUI task to an AzureCLI@2 task, which fully supports WIF and can deploy Synapse artifacts using Azure PowerShell or REST APIs. In order to replace Synapse task with AzureCLI@2, create a new Azure CLI task in your release pipeline

- task: AzureCLI@2
  inputs:
    azureSubscription: 'synapse-serviceconnection' # your WIF-based service connection
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
      # Authenticate and deploy Synapse ARM Template
      $resourceGroup = 'rg-dibber-global-analytics-prod'
      $workspaceName = 'synapse-global-analytics-prod'
      $templatePath = "$(System.DefaultWorkingDirectory)/_YourArtifact/drop/template.json"
      $parametersPath = "$(System.DefaultWorkingDirectory)/_YourArtifact/drop/parameters.json"
      az deployment group create `
        --resource-group $resourceGroup `
        --template-file $templatePath `
        --parameters @$parametersPath `
        --name synapseDeployment-$(Build.BuildId)

Just ensure your synapse-serviceconnection is set up with WIF and the Federated Credential in Entra ID has issuer: https://vstoken.azure.net

If you must use the Synapse Deployment Task UI in the future, please note that Microsoft currently does not support WIF for that task. Until an updated task version is released with WIF support, using the AzureCLI@2 task is the most reliable and secure workaround.

you can checkout below MS docs-
Set up Workload Identity Federation for Azure DevOps

Troubleshoot WIF token fetch issues

az deployment group create reference

Prabhu 65

I could create a AzureCLI@2 based deployment however re-running the pipeline gives some different error this time. can you help

This is the inline script i have used.

- task: AzureCLI@2
  displayName: 'Deploy Synapse Workspace'
  inputs:
    azureSubscription: 'synapse-serviceconnection'  # your WIF-based service connection name
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
      Write-Output "Starting Synapse deployment..."
      $resourceGroup = 'rg-dibber-global-analytics-prod'
      $templatePath = "$(System.DefaultWorkingDirectory)/_dibber_synapse_workspace/dibber-dev-gdwh/TemplateForWorkspace.json"
      $parametersPath = "$(System.DefaultWorkingDirectory)/_dibber_synapse_workspace/dibber-dev-gdwh/TemplateParametersForWorkspace.json"
      az deployment group validate `
        --resource-group $resourceGroup `
        --template-file $templatePath `
        --parameters @$parametersPath `
        --verbose
      az deployment group create `
        --resource-group $resourceGroup `
        --template-file $templatePath `
        --parameters @$parametersPath `
        --name synapseDeployment-$(Build.BuildId)
=========================================================================================

2025-06-16T06:53:12.4950490Z At D:\a\_temp\azureclitaskscript1750056693247_inlinescript.ps1:1 char:2
2025-06-16T06:53:12.4951235Z + - task: AzureCLI@2
2025-06-16T06:53:12.4951670Z +  ~
2025-06-16T06:53:12.4952087Z Missing expression after unary operator '-'.
2025-06-16T06:53:12.4952525Z At D:\a\_temp\azureclitaskscript1750056693247_inlinescript.ps1:1 char:3
2025-06-16T06:53:12.4952969Z + - task: AzureCLI@2
2025-06-16T06:53:12.4953321Z +   ~~~~~
2025-06-16T06:53:12.4953713Z Unexpected token 'task:' in expression or statement.
2025-06-16T06:53:12.4954148Z     + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
2025-06-16T06:53:12.4954680Z     + FullyQualifiedErrorId : MissingExpressionAfterOperator
2025-06-16T06:53:12.4958950Z  
2025-06-16T06:53:12.5033457Z 
2025-06-16T06:53:12.5149533Z ##[error]Script failed with exit code: 1
2025-06-16T06:53:12.5265129Z [command]C:\Windows\system32\cmd.exe /D /S /C ""C:\Program Files\Microsoft SDKs\Azure\CLI2\wbin\az.cmd" account clear"
2025-06-16T06:53:14.9177520Z ##[section]Finishing: Azure CLI

Prabhu 65 Reputation points

2025-06-16T07:01:47.93+00:00

This is the token issuer, should I replace this to "https://vstoken.azure.net/"
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-16T07:53:51.8633333+00:00
Hello Prabhu,
the issue now seems to be caused by a mismatch in the issuer URL you've used when creating the federated credential for Workload Identity Federation. From the screenshot, I see that your current issuer is https://vstoken.dev.azure.com/bdd8ed4d-58ba-48ec-b651-e27c7d6a1001

That issuer is valid for YAML-based pipelines, but you're using a release pipeline, and for that, the correct issuer should be https://vstoken.azure.net

Kindly change it. This value is automatically generated by Azure DevOps when setting up a federated service connection via the portal, and it’s required for release pipelines to successfully exchange tokens with Entra ID. If the issuer doesn’t match what DevOps expects, the token exchange will fail — which is what’s happening in your case.

The script error (Missing expression after unary operator '-') happened because you mistakenly included the YAML task declaration inside the PowerShell script block.

Corrected the format below-

- task: AzureCLI@2 displayName: 'Deploy Synapse Workspace' inputs: azureSubscription: 'synapse-serviceconnection' scriptType: 'ps' scriptLocation: 'inlineScript' inlineScript: | Write-Output "Starting Synapse deployment..." $resourceGroup = 'rg-dibber-global-analytics-prod' $templatePath = "$(System.DefaultWorkingDirectory)/_dibber_synapse_workspace/dibber-dev-gdwh/TemplateForWorkspace.json" $parametersPath = "$(System.DefaultWorkingDirectory)/_dibber_synapse_workspace/dibber-dev-gdwh/TemplateParametersForWorkspace.json" az deployment group validate ` --resource-group $resourceGroup ` --template-file $templatePath ` --parameters @$parametersPath ` --verbose az deployment group create ` --resource-group $resourceGroup ` --template-file $templatePath ` --parameters @$parametersPath ` --name "synapseDeployment-$(Build.BuildId)"

I guess once both the federated credential and script format are corrected, the pipeline should authenticate properly and deploy your Synapse resources as expected using Workload Identity Federation. Please give it a try and let me know your findings. Thanks
Prabhu 65 Reputation points

2025-06-16T10:45:34.4833333+00:00

Thanks, when I update the issuer to https://vstoken.azure.net/bdd8ee4d-58ba-48ec-b651-e2f7c46a1001 , https://vstoken.azure.net/ I get a different error .
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-17T06:15:05.77+00:00

Hello Prabhu,
This AADSTS700211: No matching federated identity record found for presented assertion issuer error indicates Azure AD received a token with issuer = https://vstoken.azure.net, but didn’t find any federated credential in the service principal that matches the issuer, the subject and the audience. You’ve correctly set the Issuer- https://vstoken.azure.net, the Type- Explicit subject identifier and the Audience - api://AzureADTokenExchange. But the Subject Identifier (Value) field seems to be misaligned. In your screenshot, I see value (Subject): sc://dibber-gdwh/azure_gdwh/synapse. I understand that’s a custom value, but DevOps doesn’t generate subjects like that. The correct Subject Identifier should be the one that Azure DevOps generates when you initially set up the service connection. You can find it under Project Settings > Service Connections > Click on your Synapse service connection > Click Edit and expand the "Federated Credentials" section > You will see something like this- sc://<organization-name>/<project-name>/<service-connection-guid>

That exact subject string must match what you use in the “Value” field of your Entra ID federated credential.

Azure DevOps includes that subject value in the OIDC token it presents during the WIF login exchange. If what Azure AD sees in the token doesn’t match a federated credential exactly even a single character off the token is rejected with the AADSTS700211 error you're seeing.
Prabhu 65 Reputation points

2025-06-18T09:14:10.3733333+00:00

Thanks for following-up . Since Azure Git Repos has few limitations around 4MB , i have uploaded the ARM templates in Storage account and trying to deploy the release pipeline.

Do you have any steps or guidance.

ArkoSen-6842 4,165 Moderator

Sure, prepare Storage SAS URL (or public link)
Follow this MS link

az storage blob generate-sas \
  --account-name mystorageaccount \
  --container-name templates \
  --name TemplateForWorkspace.json \
  --permissions r \
  --expiry 2025-12-31T23:59:00Z \
  --output tsv

You'll get the full URL, something like this- https://mystorageaccount.blob.core.windows.net/templates/TemplateForWorkspace.json?<SAS_TOKEN>

Repeat the same for your TemplateParameters.json.

Then use AzureCLI@2 to download and deploy the files
Follow this MS Link

- task: AzureCLI@2
  displayName: 'Download and deploy Synapse ARM template from Blob Storage'
  inputs:
    azureSubscription: 'synapse-serviceconnection'
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
      $templateUrl = "<YOUR_TEMPLATE_JSON_SAS_URL>"
      $parametersUrl = "<YOUR_PARAMETERS_JSON_SAS_URL>"
      Invoke-WebRequest -Uri $templateUrl -OutFile "template.json"
      Invoke-WebRequest -Uri $parametersUrl -OutFile "parameters.json"
      az deployment group validate `
        --resource-group rg-dibber-global-analytics-prod `
        --template-file template.json `
        --parameters @parameters.json `
        --verbose
      az deployment group create `
        --resource-group rg-dibber-global-analytics-prod `
        --template-file template.json `
        --parameters @parameters.json `
        --name "synapseDeployment-$(Build.BuildId)"

If you prefer not to expose SAS URLs in plaintext, you can even store them in Azure Key Vault and reference via pipeline variables.

ArkoSen-6842 4,165 Reputation points Moderator

2025-06-19T07:06:28.26+00:00

Hello Prabhu, how is it going so far? following up on this. Hope your query is clear now.
Prabhu 65 Reputation points

2025-06-20T04:10:50.84+00:00

I think all looks good and we're working on the updated template.
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T08:31:19.2333333+00:00

Hello Prabhu, Great! I am converting the same to answer. It would be great if you could kindly mark the answer as accepted so that anyone else having similar query on Microsoft Q&A forum can refer to this post. Thanks
ArkoSen-6842 4,165 Reputation points Moderator

2025-06-20T18:24:50.48+00:00

Hello Prabhu, following up on this. Please do not forget to mark the answer as accepted and upvote it as it may be beneficial to the community.
Jessica Cacanindin 0 Reputation points

2025-07-28T06:47:25.0333333+00:00

Hi everyone,

I have this same issue and been trying to use Azure CLI instead of Synapse Deployment Task. However, I keep getting a "azure.core.exceptions.HttpResponseError: (RequestContentTooLarge) The request content size exceeds the maximum size of 4 MB." error. I am unsure how to proceed. Should I upload the TemplateForWorkspace.json to a Storage Account? Any guidance will be appreciated
Prabhu 65 Reputation points

2025-07-28T07:03:21.0133333+00:00

yes please upload in the storage account and it should work.
Jessica Cacanindin 0 Reputation points

2025-07-28T10:28:39.3233333+00:00

Hi question, can you explain which part of the pipeline is technically having an issue with the resource size? As i do not understand how uploading and downloading to a storage account will address the resource size issue.
Prabhu 65 Reputation points

2025-07-28T11:02:46.07+00:00

ARM enforces a 4MB limit on the JSON template size during deployment this is why large synapse, or complex deployments hit the issue.

To remediate - Store the template in a storage account and reference it in your deployment using SAS url and it solves the inline transfer issue.

Modularize your template - Split the synapse resources into multiple linked templates.
Jessica Cacanindin 0 Reputation points

2025-07-28T14:15:54.22+00:00

Last question -- are the ARM templates static? Or are they dynamically updated with every change?
Prabhu 65 Reputation points

2025-07-29T02:50:54.3+00:00

Yes when you click publish in Synapse studio for that specific environment ( Eg : Dev) so it generates a static ARM template ( template.json) and (template.parameters.json) in the publish branch in the Git repo.

The ARM templates are not updated automatically and if you want to deploy to multiple target environments ( Dev -> Prod) then you need use paramter orverrides for environment-specific values ( eg : Strogate account , SQL server name)

Secure secrets ( eg : Passwords , SAS tokens ) using AKV references or pipeline variables.
Khem Singh 5 Reputation points

2025-08-24T09:19:34.41+00:00

Is AzureCLI@2 working for Synapse deployments? I keep getting a Bad Request when using the template from this thread. Could someone share a working YAML or inline PowerShell script? Do I need to overwrite parameters differently?
Shenghe Bi 0 Reputation points

2025-08-28T04:40:37.7066667+00:00
Has anyone successfully used this approach to deploy a Synapse workspace artifacts with complex resource types? I’m encountering a similar error as Khem.

In my experience, if a resource exists in both the Synapse workspace ARM template and the Synapse artifact exported template, it can be deployed using az deployment group create. For example, I can see SHIR or Spark pool’s is deployed But for most of the Synapse artifacts resources, eg “Microsoft.Synapse/workspaces/linkedServices”, “Microsoft.Synapse/workspaces/credentials”, “Microsoft.Synapse/workspaces/sparkConfigurations”, it failed at deployment with error like this.

{ "code": "BadRequest", "message": "" } Or { "message": "The requested resource does not support http method 'PUT'." }

Share via

Workload Identity Federation -Azure Synapse Release pipeline Fails with Error

1 answer

Your answer