{"id":4393,"date":"2026-06-22T09:35:34","date_gmt":"2026-06-22T09:35:34","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/22\/retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections\/"},"modified":"2026-06-22T09:35:34","modified_gmt":"2026-06-22T09:35:34","slug":"retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/22\/retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections\/","title":{"rendered":"Retirement of Azure DevOps issuer in Workload identity federation service connections"},"content":{"rendered":"<p>We are announcing the <strong>deprecation of the Azure DevOps issuer in workload identity federation (WIF) service connections<\/strong>, with planned retirement on <strong>July 1, 2027<\/strong>. The Azure DevOps issuer uses the <code>https:\/\/vstoken.dev.azure.com<\/code> prefix in federated credentials. This change is part of Microsoft\u2019s broader initiative to standardize on the Microsoft Entra issuer across Azure services that implement workload identity federation.<\/p>\n<blockquote>\n<p><strong>Important<\/strong> This deprecation only applies to service connections in Azure public cloud that use single-tenant Microsoft Entra applications or managed identities. Service connections targeting non-public clouds (for example, Azure Government, Azure China, or Azure Stack) and service connections that use multi-tenant applications (<code>signInAudience: AzureADMultipleOrgs<\/code>) are explicitly excluded from today\u2019s deprecation announcement. The Azure DevOps issuer will continue to be supported for these scenarios until they\u2019re supported by the Microsoft Entra issuer.<\/p>\n<\/blockquote>\n<h2>Background: Workload Identity Federation in Azure DevOps<\/h2>\n<p>More than two years ago, we <a href=\"https:\/\/devblogs.microsoft.com\/devops\/workload-identity-federation-for-azure-deployments-is-now-generally-available\/\">introduced workload identity federation support for Azure DevOps<\/a>, enabling secretless authentication between Azure Pipelines and Azure resources with managed identities or app registrations. This was a significant security improvement over the use of app registrations with secrets.<\/p>\n<p>Workload identity federation has proven to be an invaluable feature for our customers, with strong adoption across organizations seeking to eliminate long-lived credentials from their CI\/CD pipelines.<\/p>\n<p>Microsoft is standardizing on the <strong>Microsoft Entra issuer<\/strong> (<code>https:\/\/login.microsoftonline.com\/<\/code>) for workload identity federation across services. Instead of using an OIDC token minted by Azure DevOps in the OpenID Connect (OIDC) flow underpinning workload identity federation, the flow uses an OIDC token minted by Microsoft Entra. The Microsoft Entra issuer has been used for new service connections since last year, and today more than 50% of all workload identity federation service connections use the Microsoft Entra issuer.<\/p>\n<h2>Timeline<\/h2>\n<p>Since <strong>November 2025<\/strong>, new workload identity federation service connections created in Azure DevOps have been using the Microsoft Entra issuer. Dates of upcoming changes are:<\/p>\n<ul>\n<li><strong>July 1, 2026<\/strong>: The Azure DevOps issuer (<code>https:\/\/vstoken.dev.azure.com<\/code>) is deprecated. New service connections created in Azure DevOps will continue to use the Microsoft Entra issuer by default.<\/li>\n<li><strong>July 2026 \u2013 June 2027<\/strong>: Existing service connections using the Azure DevOps issuer will show a warning in pipeline runs and the service connection configuration UI (see below).<\/li>\n<li><strong>July 1, 2027<\/strong>: The Azure DevOps issuer will reach end of life and will no longer be supported.<\/li>\n<\/ul>\n<h2>What You Need to Do<\/h2>\n<p>Service connections that use the Azure DevOps issuer (<code>https:\/\/vstoken.dev.azure.com<\/code>) are listed at the top of the <a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/pipelines\/library\/service-endpoints\">service connection list<\/a>, with a warning indicating they need action:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-list.webp\"><img data-opt-id=87618944  fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-list.webp\" alt=\"azdo issuer sc list image\" width=\"1163\" height=\"366\" class=\"aligncenter size-full wp-image-72952\" \/><\/a><\/p>\n<p>To convert a service connection to the Microsoft Entra issuer, select the <strong>Update<\/strong> button:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-to-update.webp\"><img data-opt-id=952987131  fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-to-update.webp\" alt=\"azdo issuer sc to update image\" width=\"1145\" height=\"648\" class=\"aligncenter size-full wp-image-72953\" \/><\/a><\/p>\n<p>If you don\u2019t have access to the underlying identity and can\u2019t create a federated credential for the Microsoft Entra issuer, select the <strong>Create federated credential in<\/strong> link to create the federated credential and populate it with the issuer and subject manually:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-update-manual-dual-arrows-scaled.webp\"><img data-opt-id=2002955039  data-opt-src=\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2026\/06\/azdo-issuer-sc-update-manual-dual-arrows-scaled.webp\"  decoding=\"async\" src=\"data:image/svg+xml,%3Csvg%20viewBox%3D%220%200%20100%%20100%%22%20width%3D%22100%%22%20height%3D%22100%%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Crect%20width%3D%22100%%22%20height%3D%22100%%22%20fill%3D%22transparent%22%2F%3E%3C%2Fsvg%3E\" alt=\"azdo issuer sc update manual dual arrows image\" width=\"2500\" height=\"1210\" class=\"aligncenter size-full wp-image-72995\" \/><\/a><\/p>\n<p>More information: <a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/pipelines\/release\/convert-service-connections\">Workload identity federation issuer conversion<\/a><\/p>\n<h2>FAQ<\/h2>\n<p><strong>Q: Will my existing pipelines break immediately?<\/strong><br \/>\nA: No. Service connections that use the Azure DevOps issuer will continue to work until retirement on July 1, 2027. We recommend planning your conversion before then.<\/p>\n<p><strong>Q: How is the Microsoft Entra issuer different?<\/strong><br \/>\nA: The issuer is an implementation detail that\u2019s hidden during regular use. Pipeline tasks work the same and don\u2019t require changes. The Microsoft Entra issuer provides additional benefits by using Microsoft Entra-minted tokens and an immutable federation subject, so the federated credential is guaranteed to be used by the service connection it was created for.<\/p>\n<p><strong>Q: Can I use the Microsoft Entra issuer today?<\/strong><br \/>\nA: Yes. All new service connections created today use the Microsoft Entra issuer by default. You can also convert existing connections by following the steps above.<\/p>\n<p><strong>Q: Is there any downtime during the conversion, and how long does it take?<\/strong><br \/>\nA: During the conversion, the existing Azure DevOps issuer federated credential will continue to be used by pipelines that reference the service connection. After we verify that the new Microsoft Entra issuer federated credential works during conversion, pipeline jobs will start using the Microsoft Entra issuer.<\/p>\n<p><strong>Q: What if I have questions about the conversion?<\/strong><br \/>\nA: Please review <a href=\"https:\/\/learn.microsoft.com\/azure\/devops\/pipelines\/release\/convert-service-connections\">Workload identity federation conversion<\/a> and <a href=\"https:\/\/aka.ms\/azdo-rm-workload-identity-troubleshooting\">Workload identity federation troubleshooting<\/a>. You can also reach out to <a href=\"https:\/\/aka.ms\/AzureDevOpsSupport\">Azure DevOps Support<\/a> or visit the <a href=\"https:\/\/developercommunity.visualstudio.com\/\">Azure DevOps Developer Community<\/a>.<\/p>\n<p><strong>Q: I create service connections in automation and need to be able to know the federated credential subject before creating it.<\/strong><br \/>\nA: See <a href=\"https:\/\/aka.ms\/azdo-rm-workload-identity-automation\">Use scripts to automate workload identity service connections<\/a>.<\/p>\n<p><strong>Q: My Azure DevOps organization has an organization-wide exception to use multi-tenant apps to prevent the error <code>AADSTS70052: The identity must be a managed identity or a single tenant app<\/code>. What will happen?<\/strong><br \/>\nA: We\u2019re working on an experience that will provide a service connection-specific exception for multi-tenant apps instead. Until then, you will see no difference in experience.<\/p>\n<p>The post <a href=\"https:\/\/devblogs.microsoft.com\/devops\/retirement-of-azure-devops-issuer-in-workload-identity-federation-service-connections\/\">Retirement of Azure DevOps issuer in Workload identity federation service connections<\/a> appeared first on <a href=\"https:\/\/devblogs.microsoft.com\/devops\">Azure DevOps Blog<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>We are announcing the deprecation of the Azure DevOps issuer in workload identity federation (WIF) service connections, with planned retirement [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4394,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4393"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4393\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4394"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}