In most cases the service connections in Azure DevOps are created in the mode automatic (the Azure DevOps default). Strange enough there is (currently) no option in the UI to set a new credential once it’s expired. The only solution in the UI is to create a new one and delete the old one. The API provides a way to do this via a REST call, which I will describe in the following.
- Get a PAT (Personal access token in Azure DevOps) with the required permissions
- Add a new secret for the service principle
- Get the service connection details
- Use a part of the details and update it and post it with the new credential
For the whole process I use a simple postman collection, which is doing all required modification.
This can be found here: Azure DevOps ServiceConnection.postman_collection.json
Get the personal access token
The PAT can be retrieved as usual and for this admin purposes may have full access
Use personal access tokens
Add the created PAT into the collection variable DevOps PAT in Postman
Add a new secret for the service principle
Open in the project settings the service connections and here the required service connection
Use the link „Manage Service Principal“ which you find in the details. This opens the related AD App Registration. Here go to Certificates & Secrets. Add a new client secret and record the generated Client Secret Value. Set this to the postman variable Client Credential
Get the service connection details
Back the the service connection details. The URL here should have the following format:
https://dev.azure.com/{{DevOps Organization }}/{{DevOps Project}}/_settings/adminservices?resourceId={{ServiceConnectionID}}
As shown set the following postman variable from the URL:
– DevOps Organization
– DevOps Project
– ServiceConnectionID
In addition set the variable ServiceConnection to The name as displayed in the details screen.
After these variables are set the postman request „01 Get Endpoints“ will give details of all endpoints in the project
Run the postman request „02 Get Endpoint Detail“ to get all details for the service connection. The postman file will collect the response and does the following changes
– The mode of the connection is set to „Manual“ via data.creationMode
– The properties data.spnObjectId and data.appObjectId are removed as they are not required in manual mode
The result is saved into a postman variable EndPointBody
Update the service connection credential
Finally run the postman request „03 Update Service Connection“ after the previous request has been executed. This uses the result from above as body and adds the client credential.
To verify go the the service connection details, edit and press verify.
this article is based on the info found here: Azure DevOps: Update service connection expired secret – UseIT | Roman Levchenko (rlevchenko.com)
Next to test are rotating secrets
Implement automatic key rotation on Azure DevOps service connections | by Koos Goossens | Wortell | Medium