[SOLVED] How do I release an Entity Framework Core migration bundle in Azure Devops using Workload Identity Federation to authenticate to the database?

How do I release an Entity Framework Core migration bundle in Azure Devops using Workload Identity Federation to authenticate to the database?

The service principal has already been added to the database with the relevant permissions using CREATE USER <service principal name> FROM EXTERNAL PROVIDER WITH OBJECT_ID = <service principal objectid if there are multiple service principals with the same name>

How do I execute efbundle.exe against my database in Azure?

Solution

Create an Azure Powershell Task with the relevant service connection selected in the Dropdown

The format of the connection string should be as follows. It will authenticate automatically using the Service Principal of the Azure powershell task. Adjust the path to your bundle as appropriate:

$(System.DefaultWorkingDirectory)/sql-drop/efbundle.exe --connection 'Server=MyServerName,1433;Initial Catalog=MyDatabaseName;Connect Timeout=120;Authentication=Active Directory Workload Identity

The high connect timeout is because the authentication takes some time and will fail with "task was cancelled" if it is too low.

If you are not using the --connection flag, then the migration uses the connection string from appsettings that is injected into the dbcontext. You will have to adjust that.

It is also worth mentioning that if a migration fails the Devops task will still show as succeeded. You can cater for this with the Powershell $LASTEXITCODE variable which is automatically populated.

if ($LASTEXITCODE -ne 0) {
    Write-Error "The migration bundle failed"
    exit 1  # This exits the PowerShell script with a failure code
}

Update

As of June 2025 the Microsoft Hosted Agent no longer had the environment variables that Microsoft.Data.SqlClient inside EF expects and was throwing the error "The workload identity configuration wasn't provided in environment variables or through "WorkloadIdentityCredentialOptions"

The solution is to do an Azure CLI task with addSpnToEnvironment (or "access service principal details in script" for classic Releases task) set to true. Then do the mapping to the environment variables that are documented here manually as well as write the idtoken to disk: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/TROUBLESHOOTING.md#troubleshoot-workloadidentitycredential-authentication-issues

So the final powershell script becomes:

$env:AZURE_CLIENT_ID = $env:servicePrincipalId
$env:AZURE_TENANT_ID = $env:tenantId

$tokenPath = "$(Agent.TempDirectory)\federated-token.jwt"

Set-Content -Path $tokenPath -Value $env:idToken 

$env:AZURE_FEDERATED_TOKEN_FILE = $tokenPath

$(System.DefaultWorkingDirectory)/sql-drop/efbundle.exe --connection 'Server=mydatabase.database.windows.net,1433;Initial Catalog=mydatabase;Connect Timeout=120;Command Timeout=600;Authentication=Active Directory Workload Identity;'

if ($LASTEXITCODE -ne 0) {
    Write-Error "The migration bundle failed"
    exit 1  # This exits the PowerShell script with a failure code
}