Fix Azure DevOps Artifacts: Setup, Publishing & Feed Errors
Why Azure DevOps Artifacts Stops Working
Here's a scenario I've seen play out dozens of times: a developer sets up a new Azure DevOps project, creates an Azure Artifacts feed, and then spends the next two hours staring at a 401 Unauthorized error or a Unable to load the service index for source message in their terminal. Nothing in the error tells you why it failed. Just a wall of red text and a deadline looming.
Azure DevOps Artifacts is Microsoft's centralized package management service. It lets your team store, manage, and share packages , NuGet, npm, Maven, Python, Cargo, and Universal Packages , all from a single feed. On paper, it's exactly what modern development teams need. In practice, getting it working correctly the first time is where most people hit a wall.
The problems almost always fall into one of four buckets:
- Authentication failures, The Azure Artifacts Credential Provider isn't installed, expired, or misconfigured. Your NuGet client has no way to prove who you are to the feed.
- Feed configuration errors, The
nuget.configfile is pointing at the wrong feed URL, scoped incorrectly, or missing entirely from the project directory. - Permissions problems, The account running the restore or publish command doesn't have the right role assigned in the feed settings. This is especially common in CI/CD pipelines where a service principal or build identity is used instead of a personal account.
- Upstream source misconfiguration, You expect packages from NuGet.org or npmjs.com to flow through your feed automatically, but upstream sources weren't enabled when the feed was created, or they were set up incorrectly after the fact.
Microsoft's error messages for Azure Artifacts failures are notoriously unhelpful. A 401 could mean your token expired, your credential provider isn't installed, or the feed URL in your config is wrong. A package restore failure could be a network issue, a visibility setting, or a missing upstream source. The error text rarely tells you which.
I know this is frustrating, especially when the rest of your pipeline is green and this one piece is blocking a deploy. The good news is that once you understand the three moving parts (feed, credential provider, config file), nearly every Azure DevOps Artifacts issue has a clear fix.
This guide covers the most common Azure DevOps Artifacts setup errors, NuGet feed publishing failures, upstream source configuration problems, and permission issues, all grounded in what Microsoft's official documentation actually says to do. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If you're getting authentication errors when trying to restore or publish packages to an Azure Artifacts feed, start here. The single most common root cause is a missing or outdated Azure Artifacts Credential Provider. This is a NuGet plugin that handles the OAuth token exchange between your local machine and the Azure DevOps feed. Without it, NuGet doesn't know how to authenticate.
Open PowerShell as your normal user (not admin, this matters) and run:
iex "& { $(irm https://aka.ms/install-artifacts-credprovider.ps1) }"That script pulls and installs the latest credential provider directly from Microsoft. After it finishes, close and reopen your terminal, then retry your dotnet restore or nuget restore command. You should see a browser window or a device login prompt asking you to authenticate with your Azure DevOps account. Sign in, and the credential provider caches your token going forward.
If you're on a machine that doesn't allow interactive browser prompts, a build server, for example, you'll need to use a Personal Access Token (PAT) instead. Go to Azure DevOps → User Settings → Personal Access Tokens → New Token. Set the scope to Packaging (Read & Write), copy the token, and pass it as the password in your feed source configuration. More on that in the step-by-step section below.
After installing the credential provider, also verify your nuget.config file exists in your project root and contains the correct feed URL. The feed URL format for Azure Artifacts looks like this:
https://pkgs.dev.azure.com/{organization}/{project}/_packaging/{feedName}/nuget/v3/index.jsonIf that URL is wrong by even a single character, wrong org name, wrong feed name, you'll get a misleading 404 that looks like an auth error. Double-check it in the Azure DevOps portal under Artifacts → Connect to Feed → dotnet.
A lot of downstream headaches trace back to a feed that was created with the wrong settings. Getting this right from the start saves you significant pain later. Here's exactly how to do it.
Sign in to your Azure DevOps organization at dev.azure.com/{your-organization} and navigate to your project. In the left sidebar, select Artifacts. If you don't see it, go to Project Settings → General → Overview and make sure the Artifacts service is turned on for your project.
Click Create Feed. You'll see a dialog with several options that most people rush past, don't.
- Name: Pick a clear, descriptive name. You can't rename a feed after creation without deleting it, so choose something that reflects the team or project that will own it.
- Visibility: This controls who can see packages in your feed. "Members of {organization}" is right for most internal projects. If you're distributing open-source packages, choose "People in specific organizations via upstream" or public. Don't set this to public if you're storing proprietary packages.
- Scope: Project-scoped feeds are visible only to members of that specific project. Organization-scoped feeds are accessible across your entire Azure DevOps organization. Pick project-scoped if this feed is for a single team; org-scoped if multiple projects need to share packages.
- Upstream sources: Check this box. Seriously, check it. This single checkbox enables your feed to pull packages from public registries like NuGet.org, npmjs.com, Maven Central, and PyPI when those packages aren't already in your feed. If you skip it and try to enable it later, you can, but it's an extra step that many people forget until they're wondering why
dotnet restorecan't findNewtonsoft.Json.
Click Create. Your feed is now live. You should see it in the Artifacts dropdown. The next step is connecting your local development environment to it.
If everything worked, you'll see your new feed listed with zero packages and the "Connect to feed" button ready to go. That's your starting point for steps 2 and 3.
Before you can push or pull any packages from an Azure Artifacts NuGet feed, your machine needs the Azure Artifacts Credential Provider. This is a separate install from NuGet itself, it's a plugin that handles the authentication handshake with Azure DevOps. Without it, NuGet has no mechanism to get a valid OAuth token for your feed.
Microsoft also requires the latest version of NuGet for full compatibility. Download it from nuget.org/downloads if you haven't already. You want NuGet 6.x or later for Azure Artifacts feeds using the v3 index format.
To install the credential provider on Windows, run this in PowerShell (as your normal user account, not elevated):
iex "& { $(irm https://aka.ms/install-artifacts-credprovider.ps1) }"On macOS or Linux, use:
sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"The installer drops the credential provider plugin into your NuGet plugins directory, typically at:
%UserProfile%\.nuget\plugins\netfx\CredentialProvider.Microsoft\
%UserProfile%\.nuget\plugins\netcore\CredentialProvider.Microsoft\After installation, open a fresh terminal window. Run dotnet restore against your project. The first time, you'll either get a browser popup asking you to authenticate with your Microsoft account or a device code prompt (https://microsoft.com/devicelogin with a code). Complete the login. The credential provider caches your token in the Windows Credential Manager, so you won't need to re-authenticate unless the token expires or you rotate credentials.
For CI/CD pipelines, Azure Pipelines, GitHub Actions, Jenkins, interactive login isn't possible. In that case, set the environment variable VSS_NUGET_EXTERNAL_FEED_ENDPOINTS with your PAT, or use the built-in NuGet tasks in Azure Pipelines which handle authentication automatically through the pipeline's service connection.
This is the step where most publishing and restore failures originate. Your nuget.config file tells the NuGet client where your Azure Artifacts feed lives. If it's missing, in the wrong directory, or has an incorrect feed URL, nothing will work, and the error messages you get back won't always make it obvious why.
In the Azure DevOps portal, go to Artifacts → select your feed → click Connect to Feed → choose dotnet from the NuGet section. The portal shows you the exact XML to put in your nuget.config file. Copy it. Don't type it by hand.
For a project-scoped feed, your nuget.config should look like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<clear />
<add key="MyFeedName"
value="https://pkgs.dev.azure.com/{org}/{project}/_packaging/{feedName}/nuget/v3/index.json" />
</packageSources>
</configuration>For an organization-scoped feed, the URL omits the project segment:
https://pkgs.dev.azure.com/{org}/_packaging/{feedName}/nuget/v3/index.jsonA few critical things to get right here:
- The
<clear />tag tells NuGet to ignore any globally configured sources. This prevents your packages from accidentally resolving against NuGet.org directly instead of your feed. If you want NuGet.org available as a fallback (and you haven't set up upstream sources), remove the<clear />line, but if you did enable upstream sources in step 1, the<clear />is correct because NuGet.org traffic should flow through your feed. - Place this file in your project root, the same directory as your
.slnor.csprojfile. NuGet searches parent directories, but keeping it at project root avoids ambiguity. - Commit this file to source control. Your whole team and your CI pipeline need it.
Once the file is in place, run dotnet restore --interactive from your project directory. The --interactive flag forces the credential provider to prompt for authentication if needed. A successful restore means your config and authentication are both working.
Once your feed and credentials are set up, publishing your first package is the payoff. Before you can publish, you need to make sure your project file has the right metadata, Azure Artifacts requires it, and missing metadata fields cause publish failures that look cryptic but are actually easy to fix.
Open your .csproj file in VS Code or Visual Studio. Inside the <PropertyGroup> block, add the following metadata fields:
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
<PackageId>YourOrg.YourPackageName</PackageId>
<Version>1.0.0</Version>
<Authors>Your Name</Authors>
<Company>Your Company</Company>
<Description>A short description of what this package does</Description>
</PropertyGroup>The PackageId must be unique within your feed. The Version follows semantic versioning, 1.0.0 for a first release, 1.0.1 for a patch, 1.1.0 for a new feature. Once a version is published to Azure Artifacts, you can't overwrite it (the feed enforces immutability by default). You'll need to bump the version number for every publish.
Build and pack your project:
dotnet pack --configuration ReleaseThis produces a .nupkg file in bin\Release\. Now publish it to your feed:
dotnet nuget push --source "MyFeedName" --api-key az bin\Release\YourPackage.1.0.0.nupkgThe --api-key az value is a placeholder, Azure Artifacts doesn't use traditional API keys. The credential provider handles authentication. If the push succeeds, you'll see a 201 Created response and your package appears in the feed within a few seconds.
Head back to Azure DevOps → Artifacts → your feed → and you should see your package listed with its version, description, and download count. That's confirmation it worked.
One of the most powerful features of Azure Artifacts is upstream sources. They let your feed act as a proxy for public package registries, NuGet.org, npmjs.com, Maven Central, PyPI, Crates.io, so all your packages, both internal and external, flow through one controlled location. This matters for security auditing, license compliance, and preventing dependency confusion attacks.
If you checked the "Upstream sources" checkbox when you created your feed, NuGet.org is already configured as an upstream. Verify this: go to Artifacts → your feed → Feed Settings (gear icon in the top right) → Upstream Sources tab. You should see entries for nuget.org (NuGet Gallery) and optionally others.
If upstream sources weren't set up at feed creation, you can add them now. In the Upstream Sources tab, click Add Upstream Source. Select "Public source" and choose from the dropdown, NuGet.org, npmjs.com, Maven Central, PyPI, or Crates.io depending on your package type. Save your changes.
With an upstream source configured, the first time a developer on your team requests a package like Newtonsoft.Json, Azure Artifacts fetches it from NuGet.org, saves a copy in your feed, and serves it from there. Every subsequent request hits your feed's cached copy, not NuGet.org directly. This is called "saving to the feed" and it's what makes the upstream source model so powerful for enterprise teams.
There's an important behavior to understand: upstream sources only pull packages into your feed on demand. A package doesn't appear in your feed until someone requests it through the feed's endpoint. If you want to pre-populate your feed with specific package versions for offline scenarios, you'd need to publish them manually.
To verify an upstream is working, add a package to your project that you haven't manually published to your feed:
dotnet add package Newtonsoft.Json --version 13.0.3Run dotnet restore. If the upstream is configured correctly, the restore succeeds and you'll see Newtonsoft.Json 13.0.3 appear in your feed's package list automatically. That's the upstream source doing its job.
Advanced Troubleshooting for Azure DevOps Artifacts
Diagnosing 401 and 403 Errors in Feed Access
A 401 Unauthorized means authentication failed entirely, your client couldn't prove who it is. A 403 Forbidden means authentication succeeded but your account doesn't have permission to do what you're trying to do. These are different problems with different fixes.
For 401 errors, the fix chain is: (1) verify the credential provider is installed, (2) check your PAT hasn't expired, (3) confirm the feed URL in your config matches exactly what's shown in the "Connect to Feed" dialog. Run this to clear cached credentials and force a fresh login:
dotnet nuget locals all --clearFor 403 errors, go to Azure DevOps → Artifacts → your feed → Feed Settings → Permissions. You'll see roles assigned to identities, Owner, Contributor, Collaborator, and Reader. The account you're publishing from needs at minimum Contributor access to push packages. Collaborator can only consume (read/install). Check that your identity, or your pipeline's build service account, has the right role.
In Azure Pipelines specifically, the build service account is usually listed as {ProjectName} Build Service ({OrgName}). Add this identity to your feed with Contributor permissions if your pipeline publish tasks are failing with 403.
Storage Limits and What Happens When You Hit Them
Azure Artifacts gives each organization 2 GiB of free storage. That sounds like a lot until you start storing large Universal Packages or keeping every historical version of heavily-used NuGet packages. When you hit the limit, publishes start failing with errors like TF400898 or generic HTTP 500 responses from the Artifacts endpoint.
Check your current usage: go to Organization Settings → Billing → Artifacts storage. You'll see total usage and a breakdown by project. To free space, go into your feed and delete old package versions you no longer need, navigate to the package, expand the version list, select obsolete versions, and click Delete version. Deleted versions go to a recycle bin and are permanently removed after 30 days.
If your team's usage genuinely exceeds 2 GiB, you can increase the storage limit through Organization Settings → Billing. Microsoft charges per GiB beyond the free tier.
Package Restore Failures in Azure Pipelines
Pipeline restore failures are almost always one of three things: wrong feed URL in the pipeline's NuGetAuthenticate task, the build service account lacks feed permissions, or the nuget.config committed to the repo has a placeholder URL rather than the real one.
In your Azure Pipeline YAML, the recommended pattern for Azure Artifacts NuGet restore is:
- task: NuGetAuthenticate@1
- task: DotNetCoreCLI@2
inputs:
command: 'restore'
projects: '**/*.csproj'
feedsToUse: 'config'
nugetConfigPath: 'nuget.config'The NuGetAuthenticate@1 task automatically injects credentials for any Azure Artifacts feeds referenced in your nuget.config. You don't need to manage PATs manually in pipelines when you use this task, it uses the pipeline's identity and your feed permission settings.
Debugging with Feed Views and Package Promotion
Azure Artifacts feeds support views, named snapshots of your feed (typically @local, @prerelease, and @release). Packages published to a feed land in @local by default. If your downstream consumers are configured to only see packages promoted to @release, they won't find newly published packages until someone explicitly promotes them.
To promote a package, go to the package in your feed, click the version you want to promote, then use the Promote button and select the target view. This is worth checking if packages publish successfully but still aren't found during restore on other machines.
If you've confirmed your credential provider is installed, your feed URL is correct, permissions are set, and you're still hitting consistent 500-level errors or feed operations that hang indefinitely, that's a service-side issue and worth escalating. Check the Azure DevOps Status page at status.dev.azure.com first to rule out an active incident. If there's no reported incident and the problem persists across multiple accounts or machines, open a support ticket at Microsoft Support with your organization name, feed name, and the exact error text from your terminal output.
Prevention & Best Practices for Azure Artifacts Feeds
The teams I've seen get the most value from Azure DevOps Artifacts are the ones who set it up thoughtfully once, rather than patching problems reactively. Here's what separates the smooth setups from the ones that generate support tickets every sprint.
Use feed views from day one. Treating @prerelease and @release as promotion gates, rather than just publishing everything to @local, gives you a controlled release process for internal packages. Your CI pipeline publishes to @prerelease automatically; a human approves promotion to @release after testing. This prevents half-baked packages from landing in production builds.
Scope your feeds to match your team structure. Don't dump all packages from all projects into one organization-scoped feed just because you can. Project-scoped feeds give teams clearer ownership, simpler permission management, and faster debugging when something goes wrong. You can always add an upstream source pointing at a shared org-level feed if cross-project sharing is needed.
Rotate PATs on a schedule. Personal Access Tokens used for feed authentication in scripts or environment variables expire silently. Set a calendar reminder to rotate them before they expire, 90 days is a reasonable cycle. When a PAT expires, every automated process using it fails at once. Build in PAT rotation as a maintenance task, not a crisis response.
Monitor your storage usage proactively. The 2 GiB free tier disappears faster than you'd think in active projects. Set up a monthly check of Organization Settings → Billing. Better yet, script a PAT-authenticated API call to the /_apis/packaging/feedstoragedata endpoint and pipe it into your monitoring dashboard so you're not surprised by a storage-full failure during a release.
Always pin package versions in production builds. Using floating version ranges like [1.0, ) in your NuGet dependencies means the next upstream package version gets pulled into your build automatically. That might be fine in development, but in production pipelines it's a recipe for non-deterministic builds. Pin exact versions and promote updates deliberately.
- Enable upstream sources at feed creation time, adding them later works but requires extra steps to populate cached packages.
- Commit your
nuget.config(or.npmrc,pip.conf, etc.) to source control so every developer and every pipeline uses the same feed URL automatically. - Assign your Azure Pipelines build service account Contributor access to your feed before your first CI run, not after the first failure.
- Set a deletion policy for old package versions to keep storage usage in check; Azure Artifacts doesn't auto-prune old versions by default.
Frequently Asked Questions
What exactly is Azure Artifacts and do I need it if I'm already using NuGet.org?
Azure Artifacts is Microsoft's hosted package management service built into Azure DevOps. It gives you a private feed where you can publish your own internal packages, things you'd never want on NuGet.org, and also acts as a proxy for public registries like NuGet.org, npmjs.com, Maven Central, and PyPI through upstream sources. If your team writes any shared libraries that aren't open source, you need somewhere private to host them. Azure Artifacts is that place. Even if you only consume public packages, routing them through a feed gives you caching, security scanning opportunities, and a single controlled source for all dependencies across your org.
How much does Azure Artifacts storage cost and how do I check how much I'm using?
Every Azure DevOps organization gets 2 GiB of free Artifacts storage. Beyond that, Microsoft charges per GiB per month. To check your current usage, go to Organization Settings → Billing → scroll to the Artifacts section. You'll see total consumption and a breakdown by project. If you're approaching the free tier limit, start by deleting old package versions you no longer reference, navigate to each package in your feed, select obsolete versions, and delete them. Deleted versions move to a recycle bin and are purged permanently after 30 days, at which point they stop counting against your storage quota.
Why can't my Azure Pipeline find packages in my Artifacts feed during restore?
The two most common causes are missing feed permissions for the pipeline's build service account, and a nuget.config that's either missing from the repo or has an incorrect feed URL. First, go to your feed's settings → Permissions and check that {ProjectName} Build Service ({OrgName}) has at least Contributor access. Then make sure your YAML pipeline includes the NuGetAuthenticate@1 task before any restore step, this task automatically injects the right credentials without you having to manage PATs manually. Also verify the nuget.config in your repo's root has the exact feed URL from the "Connect to Feed" dialog in the Azure DevOps portal.
What's the difference between project-scoped and organization-scoped Azure Artifacts feeds?
A project-scoped feed lives inside a specific Azure DevOps project and is only visible to members of that project. The feed URL includes your project name in the path. An organization-scoped feed is accessible to any project within your entire Azure DevOps organization, and its URL omits the project segment. Use project-scoped feeds when a package set belongs clearly to one team and shouldn't be shared broadly. Use org-scoped feeds when you're building shared internal libraries, like common authentication or logging packages, that multiple teams across your org depend on. You can mix both types and have project feeds pull from an org-scoped feed via upstream sources.
Can I use Azure Artifacts for npm and Python packages, not just NuGet?
Yes, Azure Artifacts supports npm, Python (pip), Maven, Gradle, Cargo (Rust), and Universal Packages in addition to NuGet. The setup process for each follows the same pattern: create a feed, go to "Connect to Feed," select your package manager type, and follow the config instructions. For npm, you'll get a .npmrc configuration snippet. For Python, you'll configure your pip.conf or pypirc file. The credential provider handles authentication for NuGet and dotnet; for other package types you'll typically use a PAT encoded in the configuration file. Each package type also has its own upstream source options, for example, npmjs.com for npm feeds and PyPI for Python feeds.
How do I debug with symbols published to Azure Artifacts?
Azure Artifacts has a built-in symbol server that stores .pdb files alongside your packages. To publish symbols, add the --include-symbols flag when running dotnet pack, then push the resulting .snupkg file to your feed alongside your .nupkg. In Visual Studio, go to Tools → Options → Debugging → Symbols and add your feed's symbol server URL (available in your feed's "Connect to Feed" dialog under the Symbols section). When you debug a project that consumes your package, Visual Studio fetches the matching .pdb automatically, letting you step through the library's source code. For WinDbg debugging, you configure the symbol path with SRV*{localCache}*{feedSymbolServerUrl} using the same URL.