Receiving an InvalidAuthorizationTokenTenant error when triggering a Logic App on Azure even with one account?
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services