SPN Access Token sync delay - Azure (AAD)

Question

SPN Access Token sync delay - Azure (AAD)

Ash 125 Microsoft Employee

Hi everyone,

I'm encountering a puzzling issue in my Azure DevOps pipeline and would appreciate any insights or suggestions.

🔧 Setup Overview:

In the pipeline, I first run a custom .NET extension that fetches an Azure access token using Service Principal credentials (AppId, AppKey, TenantId). Here's a simplified snippet:

var spnAccessTokenResponse = await retryPolicy.ExecuteAsync(() =>
    azureTokenClient.TryFetchAzureAccessTokenUsingSPN(
        credentialFetchTaskReqResponse.TenantId,
        credentialFetchTaskReqResponse.AppId,
        credentialFetchTaskReqResponse.AppKey)).ConfigureAwait(false);

After successfully retrieving the token, I proceed to run an Azure PowerShell task using a service connection configured with the same SPN credentials.

⚠️ Problem:

Even though the token fetch succeeds in the .NET task, the Azure PowerShell task intermittently retries due to what appears to be an AAD sync delay.

🧪 What I've Tried:

Added retry logic with exponential backoff in the .NET code to improve resilience.PR - Aad Sync Issue - Adding retry to Get Credential... - DeploymentStd1B 4344234
Validated that the service connection is correctly configured and matches the SPN used in the code.
Confirmed that the token is valid and usable immediately after retrieval.

💡 Question:

Is there a known workaround or best practice to ensure that the Azure PowerShell task doesn’t hit these sync-related retries?

Any help or guidance would be greatly appreciated!.

Swaroop Kolli 3,505 Reputation points Microsoft External Staff Moderator

2025-07-30T05:16:25.6233333+00:00

Hello @Ash,

I understand that you are facing AAD Sync Delay when you run an Azure PowerShell task using a service connection configured with the same SPN credentials used with .net.

We are looking into this and will get back to you for further details if required.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-07-31T07:50:43.17+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

And please share your Teams ID or email address so we can discuss this further.
Ash 125 Reputation points Microsoft Employee

2025-07-31T07:56:20.43+00:00

Thanks for your response @Durga Reshma Malthi

I'm currently trying to add a delay in the code to see if that helps. However, my main concern is this: if I’m able to successfully fetch the token using .NET code, why does fetching the token with the same credentials fail afterward?

This issue isn’t limited to .NET either. I’ve seen cases where the first Azure PowerShell task succeeds, but subsequent ones fail for same credentials. In some instances, even within the same PowerShell task, the token fetch works initially but then requires retries later on.

Could it be that the access token is being fetched from different partitions each time?
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-01T06:45:26.46+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

Could you let me know if you received my private message. Also, please share your Teams ID or email address so we can discuss further.
Ash 125 Reputation points Microsoft Employee

2025-08-01T07:58:14.6933333+00:00

Hey @Durga Reshma Malthi , thank you for your response and for explaining everything. Is there an alternative to avoid these retries, or is waiting until the secret has fully propagated across all partitions the only option?
In case we add a delay to allow the secret to percolate, what would be the maximum and average time it typically takes?
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-01T08:47:55.1633333+00:00
Hi Ash

Yes, there are few strategies that may help reduce or prevent retries but they are not guaranteed to completely mitigate this because Azure AD has distributed nature.

Fetch the token once via your .NET task and pass it to next tasks using secure pipeline variables or files.

If you are working on Azure hosted agents or if you are trying to deploy to AKS, App Service, etc., use Managed Identity or Workload Identity Federation.

If you're adding a delay, start with 30 to 60 seconds and monitor it. If retries persist, consider increasing to 2–5 minutes.

Hope this helps!

Please Let me know if you have any queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-04T08:34:31.2366667+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-05T08:43:07.1266667+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-06T06:54:46.51+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Ash 125 Reputation points Microsoft Employee

2025-08-06T07:01:31.7833333+00:00

@Durga Reshma Malthi I have tried your recommendation. It would take a week to be able to validate if the solution works when I have more data. I'll mark the answer as "Accepted Answer" post that.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-12T07:55:18.2733333+00:00

Hi Ash

Could you please update us the latest status.

Feel free to reach out if you have any further queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-13T04:26:32.53+00:00

Hi Ash

Could you please update us the latest status.

Feel free to reach out if you have any further queries.
Ash 125 Reputation points Microsoft Employee

2025-08-13T06:41:22.12+00:00

@Durga Reshma Malthi I see that the errors have instead increased.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-13T06:43:44.3566667+00:00

Hi Ash

Could you please provide your teams id or email id in private message to discuss further

2 answers

Your answer

Swaroop Kolli 3,505 Reputation points Microsoft External Staff Moderator

2025-07-30T05:16:25.6233333+00:00

Hello @Ash,

I understand that you are facing AAD Sync Delay when you run an Azure PowerShell task using a service connection configured with the same SPN credentials used with .net.

We are looking into this and will get back to you for further details if required.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-07-31T07:50:43.17+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

And please share your Teams ID or email address so we can discuss this further.
Ash 125 Reputation points Microsoft Employee

2025-07-31T07:56:20.43+00:00

Thanks for your response @Durga Reshma Malthi

I'm currently trying to add a delay in the code to see if that helps. However, my main concern is this: if I’m able to successfully fetch the token using .NET code, why does fetching the token with the same credentials fail afterward?

This issue isn’t limited to .NET either. I’ve seen cases where the first Azure PowerShell task succeeds, but subsequent ones fail for same credentials. In some instances, even within the same PowerShell task, the token fetch works initially but then requires retries later on.

Could it be that the access token is being fetched from different partitions each time?
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-01T06:45:26.46+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

Could you let me know if you received my private message. Also, please share your Teams ID or email address so we can discuss further.
Ash 125 Reputation points Microsoft Employee

2025-08-01T07:58:14.6933333+00:00

Hey @Durga Reshma Malthi , thank you for your response and for explaining everything. Is there an alternative to avoid these retries, or is waiting until the secret has fully propagated across all partitions the only option?
In case we add a delay to allow the secret to percolate, what would be the maximum and average time it typically takes?
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-01T08:47:55.1633333+00:00

Hi Ash

Yes, there are few strategies that may help reduce or prevent retries but they are not guaranteed to completely mitigate this because Azure AD has distributed nature.

Fetch the token once via your .NET task and pass it to next tasks using secure pipeline variables or files.

If you are working on Azure hosted agents or if you are trying to deploy to AKS, App Service, etc., use Managed Identity or Workload Identity Federation.

If you're adding a delay, start with 30 to 60 seconds and monitor it. If retries persist, consider increasing to 2–5 minutes.

Hope this helps!

Please Let me know if you have any queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-04T08:34:31.2366667+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-05T08:43:07.1266667+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-06T06:54:46.51+00:00

Hi Ash

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation. Thank You.
Ash 125 Reputation points Microsoft Employee

2025-08-06T07:01:31.7833333+00:00

@Durga Reshma Malthi I have tried your recommendation. It would take a week to be able to validate if the solution works when I have more data. I'll mark the answer as "Accepted Answer" post that.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-12T07:55:18.2733333+00:00

Hi Ash

Could you please update us the latest status.

Feel free to reach out if you have any further queries.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-13T04:26:32.53+00:00

Hi Ash

Could you please update us the latest status.

Feel free to reach out if you have any further queries.
Ash 125 Reputation points Microsoft Employee

2025-08-13T06:41:22.12+00:00

@Durga Reshma Malthi I see that the errors have instead increased.
Durga Reshma Malthi 9,840 Reputation points Microsoft External Staff Moderator

2025-08-13T06:43:44.3566667+00:00

Hi Ash

Could you please provide your teams id or email id in private message to discuss further

Answer 1

Hi Ash

Could you please follow the below steps:

You can add this delay line in your above snippet, so it will help for AAD sync delays.
```
  await Task.Delay(TimeSpan.FromSeconds(10));
```
or alternatively, add some delay between the token retrieval in your .NET task and the execution of the azure PowerShell task.
```
  - task: PowerShell@2
    displayName: 'Delay'
    inputs:
      targetType: 'inline'
      script: 'Start-Sleep -Seconds 20'
```
This will help for AAD sync delays
Also ensure that the service connection in Azure DevOps is configured to use the same credentials as the SPN used in your .NET code.

Hope this helps!

Please Let me know if you have any queries.

Answer 2

Hi Ash

It could be due to some of the below reasons:

Access tokens have a limited lifespan typically like 1 hour. If your pipeline runs multiple tasks that require authentication, it's possible that the token fetched initially is still valid for the first task but expires by the time subsequent tasks are executed. This could lead to failures in those later tasks if they attempt to use an expired token.
As you mentioned, AAD can experience replication delays. When you create or modify service principals, it may take some time for those changes to propagate across all AAD partitions. If your .NET code successfully fetches a token immediately after a change, but the Azure PowerShell task runs shortly after, it might hit a partition that hasn't yet received the updated information.
Yes, the access token is being fetched from different partitions each time because Azure AD is distributed and does not guarantee instant consistency across partitions.
And also even though your .NET task gets a valid token, a subsequent PowerShell task might hit a different partition that hasn't fully synced yet.

Hope this helps!

Please Let me know if you have any queries.

Share via

SPN Access Token sync delay - Azure (AAD)

2 answers

Your answer