Deploy to Azure web app from github failing with - Application with identifier '***' was not found in the directory
I am trying to deploy to azure web app from github. I have following web app with system assigned identity:
I have added a secret with the value seen in image above Object (principal) ID:
I have following yaml file in github:
name: Build and deploy Python app to Azure Web App - fast-api-port
on:
push:
branches:
- dev
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python version
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Create and start virtual environment
run: |
python -m venv venv
source venv/bin/activate
- name: Install dependencies
run: pip install -r requirements.txt
# Optional: Add step to run tests here (PyTest, Django test suites, etc.)
- name: Zip artifact for deployment
run: zip release.zip ./* -r
- name: Upload artifact for deployment jobs
uses: actions/upload-artifact@v4
with:
name: python-app
path: |
release.zip
!venv/
deploy:
runs-on: ubuntu-latest
needs: build
environment:
name: 'Production'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
permissions:
id-token: write #This is required for requesting the JWT
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v4
with:
name: python-app
- name: Unzip artifact for deployment
run: unzip release.zip
- name: Login to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZUREAPPSERVICE_CLIENTID_APP_DNA_PORT_API_DEV }}
tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_6399B578ADAF41E095CA377A465B8BB1 }}
subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_527AF2EA4A6A4A8BAC99ECB57B6CE6AB }}
- name: 'Deploy to Azure Web App'
uses: azure/webapps-deploy@v3
id: deploy-to-webapp
with:
app-name: 'app-xx-xx-xx-dev'
slot-name: 'Production'
I get following error:
Attempting Azure CLI login by using OIDC...
Error: AADSTS700016: Application with identifier '***' was not found in the directory 'XXX'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: xx-093c-48dd-a644-xxCorrelation ID: 13417bd2-xx-xx-xx-dbec55c0e135 Timestamp: 2025-01-07 11:17:48Z
Isent it the App ID of the web app or am I missing something?
Solution
The system-assigned identity is usually an automatically managed identity by Azure for the Web App. In this case, the Application ID is the Web App's managed identity itself, it doesn't require a separate app registration in Azure AD for authentication.
Note: You need to pass Object(Principal)ID when you deploy to Azure App Service with User-assigned managed identity as mentioned in MSDOC.
I followed below steps to deploy the python app to Azure App Service with System assigned managed identity using GitHub actions.
- Enable System Assigned managed identity in Web app:
- Configure Deployment using GitHub actions under
Deployment=>Deployment Center, select GitHub as Source and Basic Authentication as Authentication Type:
Workflow:
name: Build and deploy Python app to Azure Web App - App_Name
on:
push:
branches:
- main
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python version
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Create and start virtual environment
run: |
python -m venv venv
source venv/bin/activate
- name: Install dependencies
run: pip install -r requirements.txt
- name: Zip artifact for deployment
run: zip release.zip ./* -r
- name: Upload artifact for deployment jobs
uses: actions/upload-artifact@v4
with:
name: python-app
path: |
release.zip
!venv/
deploy:
runs-on: ubuntu-latest
needs: build
environment:
name: 'Production'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v4
with:
name: python-app
- name: Unzip artifact for deployment
run: unzip release.zip
- name: 'Deploy to Azure Web App'
uses: azure/webapps-deploy@v3
id: deploy-to-webapp
with:
app-name: 'App_Name'
slot-name: 'Production'
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_312C7XX4B8BDC }}
Deployment status in GitHub:
- In an Azure App Service, how do I allow DefaultAzureCredential to get bearer token from App Registration (Enterprise Application)?
- Powershell performance degraded when importing Az modules
- How to construct the hashed token signature for Azure Cosmos DB REST API to list users?
- How to make CosmosDB work with an Azure Web App
- AADSTS50011: The redirect URI specified in the request does not match the redirect URIs configured for the app
- Stopping or Disabling a resource group in Azure
- Why I got an error request every 5 minutes in an Azure App Service
- I have try to create event in microsoft outlook calendar but coming error Access token validation failure. Invalid audience
- FQDN on Azure Virtual Machine
- azurerm - Terraform not behaving as expected
- How to get all possible AppServicePlan configurations from an Azure subscription?
- How to register your Azure resource as an Application in Azure Active Directory?
- How to Compare Variables in the Azure Library-Variable Group
- azure ai studio - indexing problem (ai search)
- The template output 'ctrName' is not valid: The language expression property array index '4' is out of bounds
- Microsoft Graph API: Create subscription - Exception: [Status Code: Unauthorized] [Go]
- After Upgrade Azure Function .Net 8 - How to handle Dependecy Injection from Startup.cs?
- How does using a proxy between frontend and backend improve security?
- How to verify JWT id_token produced by MS Azure AD?
- Azure Video Indexer API: "USER_NOT_ALLOWED" Error When Checking Blurring Job Status After Completion of Bluring
- Azure arm64 VM sku with nested virtualization
- Set ouput of GitHub action workflow after using azure/login@v2 step
- Redirect service (302) in Azure, best possible approach?
- Why the redirect uri has no fragment parameters on the first try?
- Trying to get Azure AI to work with Nuxt 3
- How do I pull the last modified file with data flow in Azure Data Factory?
- Pass AzureML job's name to pipeline
- Using the Microsoft Graph API to load files from Sharepoint into Databricks
- Databricks Numeric Type comparsion (Int vs Double)
- Azure Synapse time out - Token expire