// Manages federated credentials for Azure DevOps service connections using Workload Identity Federation. Retrieves actual issuer/subject from service connections and creates/updates federated credentials on Service Principals.
Creates Azure DevOps CI/CD pipelines from the template YAML files. This skill creates pipelines for agent creation, testing, and deployment automation using the ready-to-use pipeline definitions.
Orchestrates complete Azure AI Foundry deployment to Azure DevOps. Coordinates repository-setup, service-connection-setup, environment-setup, pipeline-setup, and deployment-validation skills. Use when deploying the complete Azure AI Foundry starter template end-to-end.
Cleans up Azure DevOps resources (repositories, service connections, variable groups, pipelines) and resets configuration files. Use when you need to remove Azure DevOps artifacts after testing or to prepare for a fresh deployment of the Azure AI Foundry Starter template.
Safely deletes all Azure resources created by the Azure AI Foundry starter template including resource groups, AI Services, AI Foundry Projects, Service Principal, federated credentials, and RBAC assignments. Use when tearing down environments or starting fresh.
Validates the complete Azure AI Foundry deployment by checking repositories, service connections, variable groups, environments, pipelines, and optionally running the first agent deployment. This skill provides comprehensive verification of the deployment setup.
Creates Azure DevOps variable groups and environments for dev, test, and production. This skill configures environment-specific variables and approval gates required for CI/CD pipelines.
| name | federated-credentials |
| description | Manages federated credentials for Azure DevOps service connections using Workload Identity Federation. Retrieves actual issuer/subject from service connections and creates/updates federated credentials on Service Principals. |
This skill manages the creation and update of federated credentials for Azure DevOps service connections that use Workload Identity Federation (no secrets). It ensures credentials use the correct issuer and subject format retrieved directly from Azure DevOps.
Use this skill when you need to:
NEVER guess or construct the issuer/subject format manually. Always retrieve the actual values from Azure DevOps service connections.
issuer: https://vstoken.dev.azure.com/{tenantId}
subject: sc://{org}/{project}/{serviceConnectionName}
issuer: https://login.microsoftonline.com/{tenantId}/v2.0
subject: /eid1/c/pub/t/{encodedTenantId}/a/{encodedAppId}/sc/{projectId}/{serviceConnectionId}
Before running this skill:
starter-config.jsonaz login# Fix federated credentials for all environments
./.github/skills/federated-credentials/fix-federated-credentials.ps1
# Or with specific environments
./.github/skills/federated-credentials/fix-federated-credentials.ps1 -Environments @("dev", "test")
If you need to understand the process or troubleshoot:
# Set up authentication
$org = "https://dev.azure.com/{your-org}"
$env:ADO_TOKEN = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv
# Get project ID
$projectId = az devops project show --project "{your-project}" --organization $org --query id -o tsv
# Get service connections with federation details
$serviceConnections = Invoke-RestMethod `
-Uri "$org/$projectId/_apis/serviceendpoint/endpoints?api-version=7.1-preview.4" `
-Headers @{ Authorization = "Bearer $env:ADO_TOKEN" } `
-Method Get
# Display connection details
$serviceConnections.value | ForEach-Object {
Write-Host "Name: $($_.name)"
Write-Host "ID: $($_.id)"
Write-Host "Issuer: $($_.authorization.parameters.workloadIdentityFederationIssuer)"
Write-Host "Subject: $($_.authorization.parameters.workloadIdentityFederationSubject)"
Write-Host "---"
}
# Load configuration
$config = Get-Content .\starter-config.json | ConvertFrom-Json
$spAppId = $config.servicePrincipal.appId
# Delete old credential (for each environment)
az ad app federated-credential delete `
--id $spAppId `
--federated-credential-id "azure-foundry-dev"
# Create credential JSON file
$credJson = @{
name = "azure-foundry-dev"
issuer = "https://login.microsoftonline.com/{tenantId}/v2.0" # From Step 1
subject = "/eid1/c/pub/t/.../sc/{serviceConnectionId}" # From Step 1
audiences = @("api://AzureADTokenExchange")
} | ConvertTo-Json -Depth 10
$credJson | Out-File -FilePath "cred-dev.json" -Encoding UTF8
# Create federated credential
az ad app federated-credential create `
--id $spAppId `
--parameters "cred-dev.json"
# Clean up
Remove-Item "cred-dev.json"
# List all federated credentials for the Service Principal
az ad app federated-credential list --id $spAppId --query "[].{Name:name, Issuer:issuer, Subject:subject}" -o table
Symptom: REST API returns service connections but name/ID are empty strings.
Solution: Token expired. Refresh bearer token:
$env:ADO_TOKEN = az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv
Symptom: Error when running az ad app federated-credential create with inline JSON.
Solution: Use JSON file instead of inline parameters:
# Create JSON file first
$credJson | Out-File -FilePath "cred.json" -Encoding UTF8
# Then use file path
az ad app federated-credential create --id $spAppId --parameters "cred.json"
Symptom: Pipeline fails with authentication error even after federated credentials are fixed.
Solution: Check RBAC permissions. Service Principal needs both control plane and data plane roles:
# Control plane (already has Contributor)
az role assignment list --assignee $spAppId --scope "/subscriptions/{subId}/resourceGroups/{rg}"
# Data plane - ADD THIS
az role assignment create `
--assignee $spAppId `
--role "Cognitive Services User" `
--scope "/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.CognitiveServices/accounts/{resourceName}"
See LESSONS_LEARNED.md #11 for details.
Symptom: Federated credential exists but has guessed issuer/subject format.
Solution: Delete and recreate with correct values from Azure DevOps:
# Delete
az ad app federated-credential delete --id $spAppId --federated-credential-id "azure-foundry-dev"
# Recreate with correct values (from Step 1)
az ad app federated-credential create --id $spAppId --parameters "cred-dev.json"
When successful, you'll see:
Example output:
{
"audiences": ["api://AzureADTokenExchange"],
"id": "a7e3a90c-0fd1-41f6-a622-2052d7a7a092",
"issuer": "https://login.microsoftonline.com/16b3c013-d300-468d-ac64-7eda0820b6d3/v2.0",
"name": "azure-foundry-dev",
"subject": "/eid1/c/pub/t/E8CzFgDTjUasZH7aCCC20w/a/rISbSSETf0KqFyZ8ppdXmA/sc/cc675aa2-a9f1-4091-9600-8fd083925744/259270a3-61be-4f9c-aee0-14478327844e"
}
Federated credentials are correctly configured when:
https://login.microsoftonline.com/{tenantId}/v2.0/eid1/c/pub/t/.../sc/{serviceConnectionId}["api://AzureADTokenExchange"]