There’s a new version and a new task for our release pipelines that use the Azure-hosted agents. These changes have been introduced recently to support the new MSAL authentication libraries for the LCS service connection used to upload and deploy the deployable packages.

The current service connections use Azure Active Directory (Azure AD) Authentication Library (ADAL), and support for ADAL will end in June 2022.

This means that if we don’t update the Asset Upload and Asset Deployment to their new versions (1.* and 2.* respectively) the release pipelines could stop working after 30th June 2022.

I’d like to thank Joris de Gruyter for the tip, otherwise I couldn’t have written this post 😛

New MSAL task

There’s also a new task to add the support for MSAL authentication. This task will install the MSAL PowerShell libraries in your Microsoft-hosted agent, and you need to add it before any other task authenticates. Like this:

MSAL install task
MSAL install task

The task has no parameters or options that need to be filled, just add it to your release pipeline, and you’re done.

If you’ve got a multi-stage release pipeline, you have to add this new task to each stage where there’s an authentication step. For example, if you have a first stage that uploads the DP to LCS, and then another one that deploys it and doesn’t have the task, it will fail. This is at least true in projects with additional agents, I need to try it with a single agent project.

New Asset Upload and Deploy versions

To support the new MSAL authentication, the dev tools team at Microsoft have published new versions of both tasks.

Asset Upload

If you change the version of the Asset Upload task from 0.* to 1.* you’ll see no changes. The fields in the task are the same, but it will use MSAL as the new authentication method.

But wait, just changing the version won’t be enough, you need to create a new service connection to LCS because the authentication endpoint has changed to https://login.microsoftonline.com/organizations. This endpoint will be the one used, from now on, in all versions, the old ones and the new.

Here you can see the old service connection endpoint:

Old service connection
Old service connection

And the new one:

New service connection
New service connection

Asset Deployment

In the Asset Deployment task we now see three versions: 0.* which was the original one, 1.* which is the one that enabled support for self-service environments, and 2.* which is the new task that supports MSAL authentication.

If you’ve already created the service connection in the previous step, just change it to use the new one.

And what about self-hosted agents (build VM)?

I’m not sure. But probably just installing the MSAL.PS PowerShell library in your build VM will be enough, if it’s not there already.

Subscribe!

Receive an email when a new post is published

5 Comments

  1. Pingback: New Azure DevOps release tasks: MSAL authentication and ADAL deprecation - Dynamics 365 Finance Community

  2. Ananda Subramanian S Reply

    HI Ariste,

    Thanks for sharing this useful information. But I have one doubt regarding the last section, relating to self-hosted agents (build VM). Once when the Build Pipeline completes the Build VM doesn’t have any role to play in Release pipeline know, and hence do we really need to install those MSAL.PS Powershell library in Build VM. Having this doubt since this change mentioned here is confined only to Release pipeline right?

    • Adrià Ariste Santacreu Reply

      You’re totally right. But in case anybody is using a self-hosted agent they wouldn’t need to add the MSAL task to the pipelines if they install the PS library. But I haven’t tried so it’s just a guess.

  3. Zisis katsavelis Reply

    Thanks a lot, I run into it the other day and sort it out with a PowerShell step to install it, but now I have switched to the install MSAL task.Do you know if the all the related lcs tasks for the azure pipelines are opensourced somewhere? Tried to search on GitHub but no luck.

    • Adrià Ariste Santacreu Reply

      Hi Zisis, no, I’d say that they’re not open-source.

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

ariste.info