[BUG]: AzurePowershell exits if Workload Identity Federation fails to fetch token the first time

[HarryGwinnell]

New issue checklist

• I searched for existing GitHub issues
• I read pipeline troubleshooting guide
• I checked how to collect logs

Task name

AzurePowershell

Task version

5.257.0

Issue Description

We're seeing an issue with our AzurePowershell@5 ADO tasks exiting prematurely when the task fails to get a Workload Identity Federation token on the first attempt. We're hitting this quite frequently, and it's fairly sporadic (probably due to the nature of this being retry based). It's hitting multiple times per week, and at worst we've seen this 50+ times in a week.

Given the error snippet below and looking at the code:

VERBOSE: Removing assemlby resolver.
VERBOSE: SYSTEM_PLANID: '394eeaf6-2faa-4b94-a012-4767dfd29c6c'
VERBOSE: SYSTEM_JOBID: '339dd970-ef3f-5f5c-e5b6-c56c83629183'
VERBOSE: SYSTEM_HOSTTYPE: 'build'
VERBOSE: SYSTEM_TEAMPROJECTID: 'f91058ab-8cee-4376-891c-9bf45b71733c'
VERBOSE: Failed to fetch federated token. Remaining retries count = '2'
VERBOSE: Leaving Initialize-AzModule.
An error occurred in Initialize-AzModule

I'm assuming that we're failing to get the token on the first attempt, then succeeding on the second (since the log doesn't show any other retries, nor does the Failed to create OIDC token. line appear.)

azure-pipelines-tasks/Tasks/Common/VstsAzureHelpers_/Utility.ps1

Lines 248 to 270 in 000e8ee

	$timeToWait = 4000
	for (($retryAttempt = 1), ($retryLimit = 3); $retryAttempt -le $retryLimit; $retryAttempt++) {
	$tokenResponse = $taskHttpClient.CreateOidcTokenAsync(
	$projectId,
	$hub,
	$planId,
	$jobId,
	$connectedServiceNameARM,
	$null
	).Result
	$federatedToken = $tokenResponse.OidcToken
	if ($null -ne $federatedToken) {
	return $federatedToken
	}
	if ($retryAttempt -lt $retryLimit) {
	Write-Verbose "Failed to fetch federated token. Remaining retries count = '$($retryLimit - $retryAttempt)'"
	Start-Sleep -m $timeToWait * $retryAttempt
	}
	}
	Write-Verbose "Failed to create OIDC token."
	throw (New-Object System.Exception(Get-VstsLocString -Key AZ_CouldNotGenerateOidcToken))

Given that we should have a token at this point, we'd expect the log to continue with the lines Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue, but instead it just leaves the module and throws an error.

azure-pipelines-tasks/Tasks/Common/VstsAzureHelpers_/InitializeAzModuleFunctions.ps1

Lines 382 to 388 in 000e8ee

	$clientAssertionJwt = Get-VstsFederatedToken -serviceConnectionId $connectedServiceNameARM -vstsAccessToken $vstsAccessToken `
	-azAccountsModuleVersion $azAccountsModuleVersion -isPSCore $isPSCore
	Write-Host "##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue"
	$null = Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
	Write-Host "##[command]Clear-AzContext -Scope Process"
	$null = Clear-AzContext -Scope Process

I can't see anything obvious that would be causing this, but we could use some help with this.

Environment type (Please select at least one enviroment where you face this issue)

• Self-Hosted
• Microsoft Hosted
• VMSS Pool
• Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

Windows Server 2025

Relevant log output

VERBOSE: Removing assemlby resolver.
VERBOSE: SYSTEM_PLANID: '394eeaf6-2faa-4b94-a012-4767dfd29c6c'
VERBOSE: SYSTEM_JOBID: '339dd970-ef3f-5f5c-e5b6-c56c83629183'
VERBOSE: SYSTEM_HOSTTYPE: 'build'
VERBOSE: SYSTEM_TEAMPROJECTID: 'f91058ab-8cee-4376-891c-9bf45b71733c'
VERBOSE: Failed to fetch federated token. Remaining retries count = '2'
VERBOSE: Leaving Initialize-AzModule.
An error occurred in Initialize-AzModule

Full task logs with system.debug enabled

output.log

Repro steps

Bit tough to reproduce

Setup a Workload Identity Federation ARM Service Connection
Have a pipeline use an AzurePowershell@5 task using the above service connection
The task can run anything (i.e. `Write-Host 'hello world'`)
Have the token acquisition in `Get-VstsFederatedToken` fail on the first attempt, then succeed on the second attempt

[v-vinaykoora]

@HarryGwinnell Thanking for reaching out on this issue.

1. We have tried to repo the issue, but we have not observed this error

Failed to fetch federated token. Remaining retries count = '2'

Could you please verify whether the service connection is active and also verify any other task using the same service connection and let us know on it.

2. Could you please try run the azure powershell task with Microsoft hosted agent and let us know the update, we tried with Microsoft hosted and it ran with out any errors

[v-vinaykoora]

@HarryGwinnell : Any update on this request

[v-vinaykoora]

@HarryGwinnell : Any update on this request

[HarryGwinnell]

We're still seeing this issue as recently as today. As noted above, it's highly transient and hard to reproduce.

We can't use Microsoft Hosted Agents as they're not allowed, but this reproduces on 1ES Agents and Self Hosted pools.

[v-vinaykoora]

@HarryGwinnell Thanks for the response. Can you please share us the error log which you have encountered today. We have tried with self hosted pool as well, but we have not encountered the error which you have seen.

Please let us know your availability timings, so that we can connect and look into your issue.

We work from 09:00 AM IST to 07:00 PM IST timings

[HarryGwinnell]

The error log is below. I'm available 9am - 5pm BST

2025-08-18T22:28:09.5045826Z ##[section]Starting: Log Analytics Variables MSIT
2025-08-18T22:28:09.5051988Z ==============================================================================
2025-08-18T22:28:09.5052085Z Task : Azure PowerShell
2025-08-18T22:28:09.5052138Z Description : Run a PowerShell script within an Azure environment
2025-08-18T22:28:09.5052207Z Version : 5.260.0
2025-08-18T22:28:09.5052271Z Author : Microsoft Corporation
2025-08-18T22:28:09.5052320Z Help : https://aka.ms/azurepowershelltroubleshooting
2025-08-18T22:28:09.5052379Z ==============================================================================
2025-08-18T22:28:10.4693283Z AZUREPS_HOST_ENVIRONMENT: ADO/AzurePowerShell@v5_Windows_NT_fastbuild_prod_1espool_pme 4_test.build.pipeline_498462__
2025-08-18T22:28:10.5574429Z Generating script.
2025-08-18T22:28:10.5889660Z ========================== Starting Command Output ===========================
2025-08-18T22:28:10.6123285Z ##[command]"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command ". 'D:\a_work_temp\65ab9e11-3da0-4035-bafa-9f6a38a1f906.ps1'"
2025-08-18T22:28:11.5368914Z Added TLS 1.2 in session.
2025-08-18T22:28:11.6888308Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\5.2.0\Az.Accounts.psd1 -Global
2025-08-18T22:28:13.0554998Z ##[command]Update-AzConfig -CheckForUpgrade False -AppliesTo Az -Scope Process
2025-08-18T22:28:13.1967761Z
2025-08-18T22:28:13.2699345Z ##[command]Get-AzConfig -AppliesTo Az
2025-08-18T22:28:13.3109553Z ##[command]Update-AzConfig -DisplayBreakingChangeWarning False -AppliesTo Az -Scope Process
2025-08-18T22:28:13.3269123Z ##[command]Enable-AzureRmAlias -Scope Process
2025-08-18T22:28:16.5522365Z An error occurred in Initialize-AzModule
2025-08-18T22:28:18.2665084Z ##[error]The term 'Resolve-Error' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
2025-08-18T22:28:18.3947294Z ##[error]PowerShell exited with code '1'.
2025-08-18T22:28:18.5559706Z Added TLS 1.2 in session.
2025-08-18T22:28:19.9187931Z ##[command]Disconnect-AzAccount -Scope CurrentUser -ErrorAction Stop
2025-08-18T22:28:20.1086025Z ##[command]Disconnect-AzAccount -Scope Process -ErrorAction Stop
2025-08-18T22:28:20.1281770Z ##[command]Clear-AzContext -Scope Process -ErrorAction Stop
2025-08-18T22:28:20.4273494Z ##[section]Finishing: Log Analytics Variables MSIT

[v-vinaykoora]

@HarryGwinnell : Thanks for sharing the error log. From the log, we can see below error and we are not seeing this error "VERBOSE: Failed to fetch federated token. Remaining retries count = '2'"

2025-08-18T22:28:16.5522365Z An error occurred in Initialize-AzModule
2025-08-18T22:28:18.2665084Z ##[error]The term 'Resolve-Error' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

For "Resolve-Error", we have an ongoing bug for this and we have rolled out the fix for this issue and waiting for the deployments to complete. We will let you know after completion of the deployments on all rings and also let us know if you have any other queries.

Here is the bug details:

Bug 2226138: GITHUB [REGRESSION]: AzurePowerShell stopped working with 'Resolve-Error' not recognized. #20581

[v-vinaykoora]

Due to lack response from the customer and we have rolled out the fix under the mentioned bug, proceeding with closure of it