How do I
save new secret in service connection
?
AzureCLI task in deployment pipeline: Azure login failed
Richard Barraclough
21
Reputation points
I have an Azure release pipeline that's been working for a while but suddenly the AzureCLI task fails saying Azure login failed.
Here is the task.
Clicking on Manage I get through to Azure that shows a warning about an expired 'secret'.
It will produce a new secret, but what do I do with it? I can't find the old one anwhere.
Azure DevOps
2 answers
Sort by: Most helpful
-
Richard Barraclough 21 Reputation points
2026-05-05T08:25:42.19+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 77%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rakesh Mishra 8,420 Reputation points Microsoft External Staff Moderator2026-04-30T16:57:40.5466667+00:00 Hey Richard, it looks like your AzureCLI task is failing because the underlying Service Principal’s client secret has expired. When you hit “Manage” in your classic pipeline and see that warning, it’s telling you exactly that – the secret used by your Azure Resource Manager service connection is no longer valid, so
az loginblows up.Here’s how to fix it:
Click on Rotate secret if it is visible to auto rotate.
Or
- Click on Manage App registration as in screenshot below. OR In the Azure Portal, go to Azure Active Directory (Microsoft Entra Id) → App registrations → find the app/service principal that backs your DevOps service connection by matching the Id mentioned below service connection name.
- Under “Certificates & secrets,” click New client secret, give it a name and expiry, hit Add, and copy the Value immediately (you won’t be able to retrieve it again).
- Switch over to Azure DevOps:
- Navigate to Project settings → Service connections.
- Find your “Azure Subscription (xxx-… )” connection, click the … and choose Edit.
- Under Authentication method, paste in the new secret Value you just created, click Verify (or Save), and confirm the connection succeeds.
- Re-run your pipeline. The AzureCLI task should now authenticate successfully.
If you can’t find the original service connection or want a fresh start, you can also create a brand-new ARM service connection in DevOps and point your task to that.
Hope that helps—once the secret’s updated, your inline PowerShell or CLI steps will be able to
az loginagain without errors!Reference docs for more details:
- Azure CLI task (AzureCLI@2)
- Connect to Azure with an ARM service connection
- Troubleshooting Azure PowerShell/CLI tasks
Note: This content was drafted with the help of an AI system.
-
Richard Barraclough 21 Reputation points
2026-05-01T09:22:55.9933333+00:00 I see that blue cloud logo, but there is no rotate secret link.
I've tried deleting the new secret that I created, but that hasn't made it appear.
-
Richard Barraclough 21 Reputation points
2026-05-01T09:25:06.89+00:00 I don't have a Rotate Secret link.
I tried removing the new secret that I added, but that hasn't made it appear.
-
Rakesh Mishra 8,420 Reputation points Microsoft External Staff Moderator
2026-05-04T17:09:06.6833333+00:00 Hi Richard, did you try to click on Manage App registration and follow the steps to rotate secret and save the new secret in service connection?
Sign in to comment