In Azure DevOps, new variable group creation, the Authorize button for selected key vault has a bug

Question

In Azure DevOps, new variable group creation, the Authorize button for selected key vault has a bug

MS Admin AZ 0

In Azure DevOps, when creating a new variable group, after clicking the Authorize button for selected key vault, it does not let me save the settings.

Note that after clicking the Authorize button, it did successfully grant the DevOps service connection the Get, List secret permissions in the key vault's access policy. This means the key vault has the proper secret permissions and the DevOps service connection is able to connect to the key vault with no issue. This rules out any network or firewall issue.

The bug is that Azure DevOps does not proceed after the Authorize is completed. So the new variable group creation cannot be saved with the key vault connection.

Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-30T23:58:20.8633333+00:00

Hi MS Admin AZ,

Thank you for posting your question in the Microsoft Q&A forum

I have reached out to you over private message regarding some information. Could you please check and share the requested information to assist you further on this.
Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-31T00:04:35.4666667+00:00
Hi MS Admin AZ,

To resolve the Azure DevOps variable group creation issue with Key Vault authorization not allowing save despite permissions being correct, follow this solution:

Ensure Service Connection Permissions

Confirm your Azure DevOps service connection has both Get and List permissions on the Azure Key Vault. This is necessary for secret access.

In Azure Portal, go to your Key Vault → Access policies → Make sure the service principal behind your service connection is granted these permissions.

Add at least one Secret in Key Vault

If your Key Vault is empty, add at least one secret, as the Azure DevOps UI sometimes fails to complete authorization with an empty Key Vault.

Create Variable Group and Link to Key Vault

In Azure DevOps, navigate to Pipelines > Library > Variable groups.

Select + Variable group, provide a name.

Enable Link secrets from an Azure Key Vault as variables.

Select your Azure service connection, then Key Vault.

Click the Authorize button to grant permission.

If the UI appears stuck, refresh the page or try using an incognito browser window.

Add secrets to the Variable Group

Select + Add on the secrets screen.

Pick the secrets you want to expose as pipeline variables.

Press OK, then hit Save on the variable group page.

Reference

Manage variable groups - Azure Pipelines | Microsoft Learn

Use Azure Key Vault secrets in Azure Pipelines - Azure Pipelines | Microsoft Learn

Link a variable group to secrets in Azure Key Vault - Azure Pipelines | Microsoft Learn

I hope the provided answer is helpful,

Please "Up Vote" if the information helped you. This will help us and others in the community as well.

Thank you.

1 answer

Your answer

Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-30T23:58:20.8633333+00:00

Hi MS Admin AZ,

Thank you for posting your question in the Microsoft Q&A forum

I have reached out to you over private message regarding some information. Could you please check and share the requested information to assist you further on this.
Pashikanti Kumar 1,160 Reputation points Microsoft External Staff Moderator

2025-10-31T00:04:35.4666667+00:00

Hi MS Admin AZ,

To resolve the Azure DevOps variable group creation issue with Key Vault authorization not allowing save despite permissions being correct, follow this solution:

Ensure Service Connection Permissions

Confirm your Azure DevOps service connection has both Get and List permissions on the Azure Key Vault. This is necessary for secret access.

In Azure Portal, go to your Key Vault → Access policies → Make sure the service principal behind your service connection is granted these permissions.

Add at least one Secret in Key Vault

If your Key Vault is empty, add at least one secret, as the Azure DevOps UI sometimes fails to complete authorization with an empty Key Vault.

Create Variable Group and Link to Key Vault

In Azure DevOps, navigate to Pipelines > Library > Variable groups.

Select + Variable group, provide a name.

Enable Link secrets from an Azure Key Vault as variables.

Select your Azure service connection, then Key Vault.

Click the Authorize button to grant permission.

If the UI appears stuck, refresh the page or try using an incognito browser window.

Add secrets to the Variable Group

Select + Add on the secrets screen.

Pick the secrets you want to expose as pipeline variables.

Press OK, then hit Save on the variable group page.

Reference

Manage variable groups - Azure Pipelines | Microsoft Learn

Use Azure Key Vault secrets in Azure Pipelines - Azure Pipelines | Microsoft Learn

Link a variable group to secrets in Azure Key Vault - Azure Pipelines | Microsoft Learn

I hope the provided answer is helpful,

Please "Up Vote" if the information helped you. This will help us and others in the community as well.

Thank you.

Answer 1

Thanks for the info.

Yes, the Azure DevOps service connection has both Get and List permissions on the Azure Key Vault. (In fact, we already have other pipelines accessing the key vault already via this same service connection.) I can confirm seeing the service principal with Get, List permissions in the key vault's access policy.

Key vault is not empty.

When creating the Variable Group to link to the key vault, I clicked Authorize which re-granted the service principal to have Get, List access and shows correctly in the key vault's access policy. This is the point where it is stuck. The Save button is still grayed out.

The reason I know that after clicking the Authorize button, it can grant the service principal with Get, List access in the key vault's access policy. As a test, I deleted this item from the access policy (as mentioned it was already there). Then I clicked the Authorize button and saw it created the Get, List access for the service principal in the access policy. This confirms the service connection is working and the access policy is correct, it still doesn't let me proceed. The Save button is still grayed out.

This looks like a bug.

Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator

2025-10-31T16:19:55.0166667+00:00

Hi @MS Admin AZ , could you please confirm that you have selected secrets from Key vault and when clicking on +Add, you are able to see secrets from Key Vault.
MS Admin AZ 0 Reputation points

2025-10-31T17:28:17.86+00:00

I cannot select secrets from Key vault because I cannot save the selected key vault after clicking Authorize in order to Link secrets from key vault. That's the issue.

Share via

In Azure DevOps, new variable group creation, the Authorize button for selected key vault has a bug

1 answer

Your answer