If you’re reading this post, you’re trying to find a way to edit an existing service connection with a new service principal secret/key.
It’s a weird that UI and devops cli don’t allow us to quickly change service connection details if it was created automatically by Azure DevOps (“creationMode”: “Automatic”; will talk about it a bit later).
So, how to change a secret? Answer: Azure DevOps REST API.
Note: if you have correct permissions, try out the steps at the bottom of the post. The steps below are for those who don’t have Owner permissions.
- Create a new Personal Access Token (full access and all scope, expiration 1 day)
- Go to Project Settings – Service Connections, choose your connection and click on Manage Service Principal. Add a new secret and note it’s value.
- Choose a tool to work with REST API. It could be either PowerShell or Postman, for instance. I will show both.
- [Postman] Install Postman and create a new HTTP Request
- [Postman] Go to Authorization and paste PAT token to the password field
- [Postman] Using the following GET request, get a service endpoint details in JSON format. Organization Name, Project Name and Endpoint Name are parts of the URI (can be taken from service connections list in the azure devops ui) :
https://dev.azure.com/<orgName>/<ProjectName>/_apis/serviceendpoint/endpoints?endpointNames=<Endpoint Name> &api-version=6.0-preview.4
- [Postman] Copy everything from the response under the value as shown below
{
"data": {
"subscriptionId": "",
"subscriptionName": "",
"environment": "AzureCloud",
"scopeLevel": "Subscription",
"creationMode": "Automatic",
"azureSpnRoleAssignmentId": ""
},
...............
}
]
}
- [Postman] Using a PUT request update the service connection. Make sure you set Body – Raw to JSON , and then Paste JSON copied in the previous step to the Body
- Here is a tricky part. Prior to sending PUT request, change creationMode from “Automatic” to “Manual”. Also, in my case, I had to delete the following parameters spnObjectId and appObjectId (data section). Plus, I added serviceprincipalkey with a value set to a new secret (authorization section)
A short excerpt is provided below:
{
"data": {
"subscriptionId": "",
"subscriptionName": "",
"environment": "AzureCloud",
"scopeLevel": "Subscription",
"creationMode": "Manual", # changed
"azureSpnRoleAssignmentId": "",
"azureSpnPermissions": ""
spnObjectId # deleted
appObjectId # deleted
},
"description": "",
"authorization": {
"parameters": {
"tenantid": "",
"serviceprincipalid": "",
"authenticationType": "spnKey",
"serviceprincipalkey": "secret here" # added
},
"scheme": "ServicePrincipal"
}
}
- [Postman] URI used for a PUT request:
https://dev.azure.com/OrganizationName/_apis/serviceendpoint/endpoints/EndpointId?api-version=6.0-preview.4 - [Postman] Go back to Azure DevOps and make sure that service connections has been updated and ready to use.
- [PowerShell] Use the following example
$token ="PAT Token"
$orgName = "Organization Name"
$projectName = "Project Name"
$endpointName = "your endpoint"
$endpointId = "your endpoint ID, use GET request or UI"
$header = @{Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$($token)")) }
# Get Endpoint details
Invoke-RestMethod -Method GET -URI "https://dev.azure.com/$($orgName)/$($projectName)/_apis/serviceendpoint/endpoints?endpointNames=$($endpointName)&api-version=6.0-preview.4" -Headers $header -ContentType "application\json"
# Update Endpoint
$json = @{ json here } | ConvertTo-Json -Depth <your depth>
Invoke-RestMethod -Method PUT -URI "https://dev.azure.com/$($OrgName)/_apis/serviceendpoint/endpoints/$($endpointId)?api-version=6.0-preview.4" -Body -Headers $header -ContentType "application\json" -Body $json
That’s it. Now you know how to change a service connection with a new secret without removing a connection and customizing all pipelines in a project.
P.S. If you have Owners permissions on the app registration/service principal used by the connection, try to edit the connection by adding a description, and then click on Save. Azure DevOps should create a new secret and update the connection automatically.
UseIT | Roman Levchenko 
This is really helpful. Thanks a lot!
Awesome! Another small task to automate. Thanks friend!
Hi Rlev!!
Excellent post.
Is there a way to automate the creation of service connection in N projects?
1) check out ps gallery – example: https://www.powershellgallery.com/packages/NewAzDoServiceConnection/0.0.1
2) terraform azure devops provider : https://registry.terraform.io/providers/microsoft/azuredevops/latest/docs/resources/serviceendpoint_azurecr
3) Rest API or CLI https://docs.microsoft.com/en-us/rest/api/azure/devops/serviceendpoint/endpoints/create?view=azure-devops-rest-7.1&tabs=HTTP#create-azure-rm-service-endpoint
thanks for your comment, Brandon!
So my manager and I were looking into this, and I started to get frustrated it involves Az cli etc….then I saw the P.S. – with a quick edit to service connection description in devops we are back online. It reminds me of the old >touch command, just poke it and it refreshes with new secret voila! I’m glad we weren’t going through your stuff step x step and noticed it afterward – put that P.S. on the top says I!
thanks. added a note/tip to beginning of the post. happy to hear the post helped you.
Thanks for this post !
There is a minor typo at the end of the Powershell script
Invoke-RestMethod-Method
should be
Invoke-RestMethod -Method
thanks, Antoine. fixed.
I love you bro, thanks
There is a much easier way. Renew the secret in azure.
Then edit the service connection, but make a no op change. I just add a space at the end
This will refresh all the details
Then edit again and remove the space (or whatever you did)
All should be good now
you’re right, but it’s already been mentioned in the post under P.S.
One thing to note about the owner method is that it will delete all existing client secrets when it does this. Before I found this method I manually created a new secret and a new Service Connection using service principal (manual) to get my pipelines to run. After using this method, the secret I created manually is gone.