ARM deployment occasionally fails due to mismatching identity RRS feed

  • Question

  • I have an ARM template that deploys a Windows Web App that has two slots (production and staging). The template is integrated with Azure DevOps build and release pipelines and deployed using the Azure resource group deployment task.

    The problem I am encountering is that occasionally the pipeline will fail when the template is getting deployed with the following error message

    2019-07-25T07:49:22.3093628Z There were errors in your deployment. Error code: MismatchingResourceIdentityPrincipalId.

    2019-07-25T07:49:22.3213510Z ##[error]The principalId '5e7127c4-5a72-49b4-9747-7311e984e1c8' on the

    resource's Identity property is invalid and must be empty or match the existing principalId

    of '0471a448-0e77-48cd-b39a-01d8d1f3c5e3'.

    2019-07-25T07:49:22.3221635Z ##[error]Task failed while creating or updating the template deployment.

    For reference, this is how the identities are configured in the ARM template

       "resources": [{
            "type": "Microsoft.Web/sites",
            "apiVersion": "2016-08-01",
            "name": "myApp",
            "kind": "app",
            "identity": {
              "principalId": "0471a448-0e77-48cd-b39a-01d8d1f3c5e3",
              "tenantId": ".......",
              "type": "SystemAssigned"
            "type": "Microsoft.Web/sites/slots",
            "apiVersion": "2016-08-01",
            "name": "myApp/Staging",
            "dependsOn": [
              "[resourceId('Microsoft.Web/sites', 'myApp')]"
            "kind": "app",
            "identity": {
              "principalId": "5e7127c4-5a72-49b4-9747-7311e984e1c8",
              "tenantId": "......",
              "type": "SystemAssigned"

    Thursday, July 25, 2019 9:31 AM

All replies

  • Does this error occur after you've swapped myApp with myApp/Staging? If so, then I surmise the error is occurring because you're using a principalId that no longer matches app's Managed identity after it's been swapped. Therefore, use 

    "prinicipalId": "[reference(concat('Microsoft.Web/sites/', parameters('myApp')), '2018-02-01', 'Full').identity.principalId]",
    # for staging slot
    "prinicipalId": "[reference(concat('Microsoft.Web/sites/slots', parameters('myApp')), '2018-02-01', 'Full').identity.principalId]",

    to retrieve the correct principalId for the app.

    Hope this helps.

    Thanks in advance, Ryan

    Friday, July 26, 2019 3:58 PM
  • Hi Ryan,

    The error has finally returned so I had a chance to test your suggestion.

    Unfortunately when executing the arm template this error is returned:

    The template resource 'app_name' at line '28' and column '9' is not valid: The template function 'reference' is not expected at this location.

    Any ideas?

    Wednesday, August 14, 2019 3:00 PM
  • Try leaving the principalId blank or remove the property all together. This will leave the management of said properties up to Azure as stated in https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity#using-an-azure-resource-manager-template. Those properties will be added after the deployment of the template.

    Thanks in advance, Ryan

    Saturday, August 17, 2019 4:48 PM