Intune App Factory – Fix Could not fetch access token for Azure

Intune App Factory was originally developed and instructions for how to set it up were written when Azure DevOps didn’t support Managed Identities or Workload identity federation. However, recently, users of Intune App Factory may have noticed that the pipeline would immediately fail on the first step, with an error similar to the following:

Further investigating this, you should also see that there’s an error when attempting to retrieve the secrets of the Key Vault in the Library variable group named KeyVault:

This error is related to the Service Connection that’s setup in Azure DevOps, to Azure Resource Manager, where it’s not able to use the provided credentials from the App Registration and it’s client secret.

How can we restore access to Azure Resource Manager?

From within the Project in Azure DevOps, where the Intune App Factory is running, click on Project Settings in the left corner at the bottom and browse to Service Connections.

Here, we can see that there’s a security related notification that is asking us to convert an existing Azure Resource Manager service connection, by enabling Workload identity federation instead of making use of a client secret.

Click on the service connection.

Another notification appears right at the top, where we’re given an Convert button.

But before we click on the Convert button, we must update the service principal (App Registration) in the Azure portal. Browser to and open the Microsoft Entra ID blade. Go to App registration and search for the service principal. It’s important that you ensure you make the following changes on the correct service principal, to not cause service interruption.

You can verify that the Application (client) ID identifier from the Azure portal, is the same that’s mentioned for the service connection in Azure DevOps, under the Application (Client) ID field for Authentication conversion:

When the correct service principal is found, click on it and then go to the Certificates & secrets blade. Click on the Federated credentials tab and click Add credential.

Select Other issuer as Federated credential scenario. In the Connect your account section, copy and paste the Issuer and Subject Identifier from the Authentication conversion section of the service connection in the Azure DevOps portal. Provide a name for this credential, e.g. some that is distinctive for its usage.

Click Add.

Back in the Azure DevOps portal, click Convert.

This brings up a warning about client secrets for this service principal (App Registration), will be removed, which is fine. We want to remove and stop using the client secret and convert the service connection into a Workload identity federation service connection instead, using the same service principal.

Click on Convert again.

After a while, once the conversion completes, verify that the service connection is now setup as using workload identity federation:

And with that, the issue is fixed! Verify it by executing the pipeline manually, and you should see that the “Download secrets: <KeyVaultName>” steps are now working again.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

Add comment


Categories use cookies to ensure that we give you the best experience on our website.