Azure DevOps OIDC token requests failing for service connections used via AzurePipelinesCredential #2012
Description
As of 2026-03-11, pipelines using AzurePipelinesCredential to authenticate to Azure are failing with OIDC token errors. No pipeline or service connection configuration was changed - this appears to be a change in Azure DevOps behavior.
Azure.Identity.AuthenticationFailedException: OIDC token not found in response.
See the troubleshooting guide for more information.
https://aka.ms/azsdk/net/identity/azurepipelinescredential/troubleshoot
Response= {
"count": 151,
"value": "There is no explicit reference to service connection 00000000-0000-0000-0000-000000000000
from current stage <StageName>.<JobName>.__default."
}
All image imports fail - no images are successfully copied. Both CheckBaseImages and CheckBaseImages_BuildTools jobs are affected.
Azure DevOps probably changed how it scopes OIDC token requests. The error message suggests that service connections must now be referenced from the stage that requests the token, not just from a separate setup stage earlier in the pipeline. Currently, service connections are referenced via AzureCLI@2 in SetupServiceConnectionsStage, but stages like CheckBaseImages use PowerShell@2 tasks that rely on SYSTEM_ACCESSTOKEN/SYSTEM_OIDCREQUESTURI environment variables without directly referencing the service connection.
We should probably add service connection references within each stage/job that needs them, using the existing publishConfig.RegistryAuthentication lookup pattern, scoped to the registries each job actually uses.