Skip to main content

Posts

Solving Azure DevOps Workload Identity Federation service connection 50 minute time-out error

 When connecting to external resources like Azure Resource Manager you will need a service connection in Azure DevOps. Normally I utilize a service principal for this purpose. The certificate issued by Microsoft Entra ID was normally valid for two years but Microsoft changed this to three months in the release of January 18th and is promoting the usage of Workload identity federation  (WIF). When testing this WIF based service connection I noticed that the OIDC token is only valid for about 50 minutes. This time is to short for the PowerShell script I use to monitor the Azure Image Builder image builds. These image build processes can take up to four hours but fail now with an error message like the one below. A configuration issue is preventing authentication - check the error message from the server for details. You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS700024: Client as
Recent posts

Solve code coverage issue with Azure Functions

 I tried to execute code coverage for an Azure Function project with the Coverlet NuGet package. When running the unit test phase I received the following error message and no code coverage file was generated for the Azure Function project. Data collector 'XPlat code coverage' message: [coverlet]System.TypeLoadException: Could not load type 'Microsoft.Extensions.DependencyInjection.ServiceCollection' from assembly 'Microsoft.Extensions.DependencyInjection.Abstractions, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'.    at Coverlet.Collector.DataCollection.CoverletCoverageCollector.GetDefaultServiceCollection(TestPlatformEqtTrace eqtTrace, TestPlatformLogger logger, String testModule)    at Coverlet.Collector.DataCollection.CoverletCoverageCollector.OnSessionStart(Object sender, SessionStartEventArgs sessionStartEventArgs) in /_/src/coverlet.collector/DataCollection/CoverletCoverageCollector.cs:line 135. To solve this issue you have to add the

How to control the 'Propagate Default Route' setting of a Azure VHub Network Connection from code

 Using Azure Virtual WAN for your hub/spoke network and want to know how to control the 'Propagate Default Route' setting on a Azure VHub Network Connection via code? Modifying this setting via the UI is easy. Go to the specific virtual network connection in the Virtual network connections setting of the Virtual WAN and change the value from Enable into Disable or vice versa. How to do this via code was a mystery for me until I consulted Microsoft support. If you consult the documentation for maintaining the virtual hub network connection you don't find a setting named 'Propogate Default Route' or a mention in the description about it. ARM / Bicep - Hub virtual network connections PowerShell - New-AzVirtualHubVnetConnection Azure CLI - az network vhub connection Microsoft Support explained that the attribute  enableInternetSecurity , with description 'Enable internet security.', is actually controlling the behavior off the option 'Propagate Default Ro

Azure Login fails with ERR_SSL_PROTOCOL_ERROR

When you try to login to Azure (Azure CLI / Visual Studio Code) it will not succeed in Chrome. After the authentication phase your browser will be redirected to a HTTPS localhost URI. The browser will responded with the following message. This site can’t provide a secure connection localhost sent an invalid response. Try running Windows Network Diagnostics. ERR_SSL_PROTOCOL_ERROR This behavior is caused by a HTTPS policy within Chrome. To remove this policy you will have to do the following:  Go to chrome://net-internals/#hsts Under Delete domain security policies fill in localhost and click Delete .

AdvancedSchedule generates error when using monthDays for new schedule

If I want to deploy a monthly schedule on for example the last day of the month I encounter an error message when I used the REST API or the ARM template. The body of the REST API for creating schedules I used look likes this: { "name": "demoSchedule", "properties": { "startTime": "2022-05-07T22:00:00+02:00", "interval": 1, "frequency": "Month", "advancedSchedule": { "weekDays": [], "monthDays": [ -1 ], "monthlyOccurrences": [] } } } When I execute this REST call I receive the following error message: { "code": "BadRequest", "message": "Argument requestScheduleData with value Orchestrator.Schedules.DataAccess.Models.ScheduleAllData is not valid. Error message: The input value is not valid for Monthly Schedule Type" } After spending a lot of time of trial & error I

Assign role assignments by name in ARM templates

When you want to do a role assignment to a principal in an ARM template you will use code like the one below. In this example the role definition is actual the object id of the role. If you want to assign the contributor role you will use the value 'b24988ac-6180-42a0-ab88-20f7382dd24c'. You also have to specify the id of the principal so you will have to retrieve that value yourself upfront. { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-04-01-preview", "name": "[guid(parameters('roleAssignmentName'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]", "principalId": "[parameters('principalId')]", "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', parameters(

Permantly delete an AD object

At the moment I am busy with PowerShell DSC scripts that also create objects within the Active Directory. Because it's work in progress you have to delete those objects regularly. Witin this sandbox environment the recycle bin feature is enabled so the objects are kept 30 days.  To permantly delete such objects (so you have a clean testing situation) you can use the following PowerShell command. Get-ADObject -filter {sAMAccountName -eq "<name of object>$"} -includeDeletedObjects -property * | Remove-ADObject