Intermittent token acquisition failure - "Could not fetch access token for Azure" #5475
Description
We are facing intermittent failures in token acquisition via MSAL when running Azure DevOps pipelines that deploy Web Apps using the AzureRmWebAppDeployment@5 task.
Until September 5, 2025, all pipelines were working fine. Starting from the evening of September 8, 2025, we began observing random failures during pipeline execution.
The error observed in the Azure DevOps logs is:
Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites'
and resource name 'fractal-cdtsols-dev-test-app'.
Error: Could not fetch access token for Azure.
Status code: network_error, status message: Network request failed
From the MSAL logs, it is clear that the failure happens during the AcquireTokenForClient flow. MSAL attempts retries (3 times), but every retry ends with network_error. Example log fragment:
{
"apiId": "AcquireTokenForClient",
"authority": "https://login.microsoftonline.com/{tenantId}/",
"scopes": ["https://management.azure.com//.default"],
"error": "network_error",
"statusMessage": "Network request failed"
}
Key points:
-
Pipelines are using a Service Principal–based service connection (ConfidentialClientApplication).
-
Scopes requested: https://management.azure.com//.default
-
The service connection credentials are valid (client secret not expired).
-
Tokens can sometimes be fetched successfully, and sometimes not — indicating inconsistent / intermittent behavior.
-
Re-running the same pipeline may succeed, then fail again after a few hours.
-
The same issue occurs across multiple pipelines (classic and YAML), all using the same Service Principal.
-
We tested with a new service connection (new app registration + client secret), but the same behavior persists.
We also tried running the pipeline from an Incognito browser session; once it worked, but after 2–3 hours the error returned. This rules out a pure browser cache issue.
Failure logs are attached below:
test_app.txt