Fix your failed Azure DevOps Release Pipeline if you get this error:

Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired.

I had several Azure DevOps Release Pipelines suddenly start failing, even though they had worked for years. Digging into the release pipeline logs, I found this error:

##[error]Error: Failed to fetch App Service ‘myappservicename’ publishing credentials. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired. For more information refer https://aka.ms/azureappservicedeploytsg

That link takes you to a troubleshooting item on docs.microsoft.com that I didn’t find particularly helpful.

After googling a bit, I ran across this Visual Studio Developer Community thread, where I found a potential solution:

In fact, even the Preview allows to renew the service principal key. All you have to do is navigate to the service connection, click “Edit” in the upper right corner and then save without any changes.

Though I agree, that an “automatic” service connection should not ask the user to click save without any changes to renew credentials after a pipeline fails. That is not “automatic”, that’s still manual (wait for stuff to fail, then change nothing, save, works again).

Feels like booting into Windows safe mode after countless repair attempts. It just boots up, you change nothing, reboot to normal mode and it works again.

That eventually worked for me. Here is what I did:

1. In the DevOps project that is failing, navigate to Project settings.
2. In the left-hand menu, click Service connections.
3. From the list, select the service connection that is failing during the release pipeline.
4. In the upper right-hand part of the page, click Edit.
5. Ensure the proper Resource group is selected.
6. Click Save.
7. Refresh the page.
8. Click Edit again.
9. Click Verify to ensure the Service connection works.

On a few of my projects, I had to repeat the process of saving, refreshing, and verifying, but eventually verification succeeded.

Apparently you have to refresh your service connections periodically.