There’s a new version and a new task for our release pipelines that use the Azure-hosted agents. These changes have been introduced recently to support the new MSAL authentication libraries for the LCS service connection used to upload and deploy the deployable packages.

The current service connections use Azure Active Directory (Azure AD) Authentication Library (ADAL), and support for ADAL will end in June 2022.

This means that if we don’t update the Asset Upload and Asset Deployment to their new versions (1.* and 2.* respectively) the release pipelines could stop working after 30th June 2022.

I’d like to thank Joris de Gruyter for the tip, otherwise I couldn’t have written this post 😛

New MSAL task

If you don’t add this task to your pipeline, you’ll get the error: [error]The specified module ‘MSAL.PS’ was not loaded because no valid module file was found in any module directory.

There’s also a new task to add the support for MSAL authentication. This task will install the MSAL PowerShell libraries in your Microsoft-hosted agent, and you need to add it before any other task authenticates. Like this:

MSAL install task
MSAL install task

The task has no parameters or options that need to be filled, just add it to your release pipeline, and you’re done.

If you’ve got a multi-stage release pipeline, you have to add this new task to each stage where there’s an authentication step. For example, if you have a first stage that uploads the DP to LCS, and then another one that deploys it and doesn’t have the task, it will fail. This is at least true in projects with additional agents, I need to try it with a single agent project.

New Asset Upload and Deploy versions

To support the new MSAL authentication, the dev tools team at Microsoft have published new versions of both tasks.

Asset Upload

If you change the version of the Asset Upload task from 0.* to 1.* you’ll see no changes. The fields in the task are the same, but it will use MSAL as the new authentication method.

But wait, just changing the version won’t be enough, you need to create a new service connection to LCS because the authentication endpoint has changed to https://login.microsoftonline.com/organizations. This endpoint will be the one used, from now on, in all versions, the old ones and the new.

Here you can see the old service connection endpoint:

Old service connection
Old service connection

And the new one:

New service connection
New service connection

Caution! If you’re using any of the LCS geos, like Europe, Norway, South Africa, etc. the endpoints need to reflect that as described in the table:

GeographyLifecycle Services portalLifecycle Services API endpointEnvironment URL
United Stateshttps://lcs.dynamics.com/https://lcsapi.lcs.dynamics.comhttps://NAME.operations.dynamics.com/
Europehttps://eu.lcs.dynamics.com/https://lcsapi.eu.lcs.dynamics.comhttps://NAME.operations.eu.dynamics.com/
Francehttps://fr.lcs.dynamics.com/https://lcsapi.fr.lcs.dynamics.comhttps://NAME.operations.fr.dynamics.com/
Norwayhttps://no.lcs.dynamics.com/https://lcsapi.no.lcs.dynamics.comhttps://NAME.operations.no.dynamics.com/
South Africahttps://sa.lcs.dynamics.com/https://lcsapi.sa.lcs.dynamics.comhttps://NAME.operations.sa.dynamics.com/
Switzerlandhttps://ch.lcs.dynamics.com/https://lcsapi.ch.lcs.dynamics.comhttps://NAME.operations.ch.dynamics.com/
United Arab Emirateshttps://uae.lcs.dynamics.com/https://lcsapi.uae.lcs.dynamics.comhttps://NAME.operations.uae.dynamics.com/

Asset Deployment

In the Asset Deployment task we now see three versions: 0.* which was the original one, 1.* which is the one that enabled support for self-service environments, and 2.* which is the new task that supports MSAL authentication.

If you’ve already created the service connection in the previous step, just change it to use the new one.

And what about self-hosted agents (build VM)?

I’m not sure. But probably just installing the MSAL.PS PowerShell library in your build VM will be enough, if it’s not there already.

Latest MSAL.PS task version 1.0.1572609 (January 2024) #

If you’re getting an error in the Asset Upload task: “The underlying connection was closed: An unexpected error occurred on a receive.”, make sure to update your pipeline agent specification to windows-2022:

Agent specification change to windows-2022

This will fix the issue!

Subscribe!

Receive an email when a new post is published
Author

Microsoft Dynamics 365 Finance & Operations technical architect and developer. Business Applications MVP since 2020.

8 Comments

  1. Ananda Subramanian S Reply

    HI Ariste,

    Thanks for sharing this useful information. But I have one doubt regarding the last section, relating to self-hosted agents (build VM). Once when the Build Pipeline completes the Build VM doesn’t have any role to play in Release pipeline know, and hence do we really need to install those MSAL.PS Powershell library in Build VM. Having this doubt since this change mentioned here is confined only to Release pipeline right?

    • Adrià Ariste Santacreu Reply

      You’re totally right. But in case anybody is using a self-hosted agent they wouldn’t need to add the MSAL task to the pipelines if they install the PS library. But I haven’t tried so it’s just a guess.

      • Ananda Subramanian S Reply

        Hi Ariste,

        I do have both the scenarios. For one my project I use Self hosted Build VM as agent and my other project is with Azure hosted pipeline. Made an interesting observation with Self hosted agent. I just added this “Install MSAL.PS to enable authentication” in both my LCS Asset upload and also in LCS Asset Deploy stages. But the automatic deployment was getting rolled back without much information in LOG. Post I had installed MSAL.PS in my Self-hosted Build VM agent, it is succeeding now without any issues. So I had concluded that for Self-hosted pipelines, installing the MSAL.PS in Build VM and then changing the Release pipeline helps. Raised a Support incident with MS and confirmed this with MS support engineer too.

  2. Zisis katsavelis Reply

    Thanks a lot, I run into it the other day and sort it out with a PowerShell step to install it, but now I have switched to the install MSAL task.Do you know if the all the related lcs tasks for the azure pipelines are opensourced somewhere? Tried to search on GitHub but no luck.

    • Adrià Ariste Santacreu Reply

      Hi Zisis, no, I’d say that they’re not open-source.

  3. Hi Ariste,

    Ignore the previous message please and remove it – can you explain why this error occurs when I try to use Dynamics Lifecycle Services (LCS) Asset Upload, task version 1.*:

    2021-12-22T19:15:17.4446006Z MSAL Authentication
    2021-12-22T19:15:19.3808163Z ##[error]There was an error parsing WS-Trust response from the endpoint. This may occur if there is an issue with your ADFS configuration. See https://aka.ms/msal-net-iwa-troubleshooting for more details. Error Message: Federated service at https://autologon.microsoftazuread-sso.com/ieg.directory/winauth/trust/2005/usernamemixed?client-request-id=daeeaa4c-6d78-4a7b-90b1-d9a65287716f returned error: Authentication Failure
    2021-12-22T19:15:19.4812465Z ##[section]Finishing: Upload Main_21.12.22.12 to project IEG

    I have AAD App registration with LCS permission granted.

    What could be the issue?

    Thanks

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

ariste.info