Deployment from Team Foundation Server to Azure US Government Cloud fails and you cannot update a resource

Applies to: TFS 2017TFS 2018

Symptoms


When you try to update a resource in Microsoft Azure US Government Cloud, you may receive the following errors because the deployments that are started by using releases on Team Foundation servers may fail.

Could not fetch access token for Azure.

Failed to obtain the Json Web Token (JWT) for service principal id 'ServicePrincipalID'. Exception Message: AADSTS90038: Confidential Client is not supported in Cross Cloud request.

Cause


The AAD authority URL for Azure US Government Cloud has been changed from login-us.microsoftonline.com to login.microsoftonline.us. During the deployment, the release tries to fetch the access token to authenticate the update. The built-in deployment tasks query the old URL for access token and fail.

Resolution


To fix this issue, follow these steps:

  1. Download the Azure extension VSIX file accordingly:

  2. Run command prompt with the administrative credentials by using the TFS administrator account, then upload the extension to the Team Foundation servers by using the following command accordingly:

    • For TFS 2017

      "C:\Program Files\Microsoft Team Foundation Server 15.0\Tools\TfsConfig.exe" publishextension /vsixfilepath:"<Azure VSIX File path>"

    • For TFS 2018

      "C:\Program Files\Microsoft Team Foundation Server 2018\Tools\TfsConfig.exe" publishextension /vsixfilepath:"<Azure VSIX File path>"

Note You do not have to restart any Team Foundation server or computer after the extension is applied.