I have an Azure Windows 10 VM (Standard D2as v4 (2 vcpus, 8 GiB memory)). I have tried using the automated tasks section to start this VM up and shut it down automatically. However, the auto start task repeatedly fails. I do not understand why. Here is the error that I have found:
Unauthorized!
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxx/'. It must match the tenant 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxx/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
I do not understand what is going on at all am afraid. If someone could please explain and help resolve!
Thanks!
I have tried in my environment and got below results:
Initially I have created Virtual machine in my environment and added two tasks like Azure start VM and Azure stop VM
Task1 - start VM
Home -> Virtual machine -> Automation -> task
I have Authenticated connection both Azure VM (azurevm) and Office 365 Outlook (office365)
Configuration:
After created task1 it will appears on the Tasks list.
After the selected task runs, you get an email that looks like this example:
In the tasks list-> task1->In that task's Runs column, select View.
Task2 - Stop VM
Similar process which I took to reproduce:
Mail:
View:
{ "error": { "code": "InvalidAuthenticationTokenTenant", "message": "The access token is from the wrong issuer
'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxx/'. It must match the tenant 'https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxx/' associated with this subscription. Please use the authority (URL)'https://login.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."} }
The above error occurs due to not have enough permission.
You must have certain permissions to enable VMs for the Start&Stop VMs.
Kindly check and make sure you have role of Contributor to your logic app.
In permission they has some of the pre-existing Automation account and new Automation account for log analytics workspace kindly check the below reference link.
Logic app:
logic app -> task1->Run history
Reference:
https://learn.microsoft.com/en-us/azure/automation/automation-solution-vm-management
Azure Logic App: Azure VM Connector - InvalidAuthenticationTokenTenant - Microsoft Q&A
Related
Azure VM Details :
OS : Windows Server 2019 Datacenter Core
Size: Standard D4s v3 (4 vcpus, 16 GiB memory)
Location: Australia East
VM generation: V1
Agent status: Ready
Agent version: 2.7.41491.1010
Azure disk encryption: Not Enabled
Extensions already installed :
DependencyAgentWindows
IaaSAntimalware
MDE.Windows
MicrosoftMonitoringAgent
Have an existing recovery services vault with 10s of other VMs getting backed up.
Trying to enable the backup from Azure Portal for this VM ( From the VM Blade > Operations > Backup ) but it's failing with the following error code:
I have tried it multiple times.
Provisioning state: Failed
Duration: 1 minute 3 seconds
Status: Conflict
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BMSUserErrorContainerObjectNotFound",
"message": "Item not found"
}
]
}
All the information on troubleshooting backup relates issues # https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-troubleshoot talk about After the "Enable Backup" step.
I have also tried to enable the backup using azure cli:
az backup protection enable-for-vm --vm "/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.Compute/virtualMachines/vm_name" -v vaultname -g vault_resourcegroup -p backuppolicy_name
It throws the following error:
The specified Azure Virtual Machine Not Found. Possible causes are
1. VM does not exist
2. The VM name or the Service name needs to be case sensitive
3. VM is already Protected with same or other Vault.
Please Unprotect VM first and then try to protect it again.
Please contact Microsoft for further assistance.
None of the Point 1,2 or 3 are true.
VM exists, the name is used as shown in the portal, no other VM protection service is in use.
Note: I have faced this issue a few days back on another subscription, but luckily no one was yet using that VM, so I destroyed and re-deployed the VM, and the error went away.
I can't do the same for this VM as it's already in use.
Any help/guidance will be appreciated.
Seems like a portal error or the VM is not able to communicate with Azure Platform. I would suggest you try the "Reapply" feature to update the platform status.
[Snippet of Reapply in Azure Porta][1]
Else, you can try initiating a backup from the "Recovery Services vaults" blade and add the VM to it.
The solution was to contact Microsoft support. Their engineer after some analysis ( aka to and fro, screenshots exchange over email..etc) replied with:
I check from the backend and notice that the VM status is not in synchronize state. I’ve requested the VM engineer xxxxx resync the VM from the backend. Please try to reenable the VM backup again in the Azure portal recovery service Vault page. If you encounter the same issue, please try to configure the VM backup in the Azure Virtual Machine Panel page and let me know the results. Thanks!
After this when I attempted to enable the backup it worked.
So for anyone who faces this problem, it looks like the only option is to get in touch with MS Support.
I have a new vm, Operating system Windows (Windows Server 2016 Datacenter).
When I try to enable backup and select new Recovery Service Vault, I get deployment error:
Deployment to resource group test failed.
Additional details from the underlying API that might be helpful: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
Resource
vault242/Azure/iaasvmcontainer;iaasvmcontainerv2;test;web01/vm;iaasvmcontainerv2;test;web01
Type
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems
Status
Conflict
Status message
{
"status": "Failed",
"error": {
"code": "BMSUserErrorContainerObjectNotFound",
"message": "Item not found"
}
}
Can't find any information for code BMSUserErrorContainerObjectNotFound and why a protected item not created automatically
My apologies for the delay in the response.
Were you able to resolve the issue?
If not, let's review it.
As I understood, you are enabling the Azure VM Back Up by following the next steps:
There could be multiple reasons why you are getting this failure.
Did you perform these steps manually using the Azure Portal? Template deployment? Scripting? I suspect most likely you are doing the template deployment or any kind of scripting and this one is the syntax issue.
Second thought, it was the transmitted issue due to the load of request on the Azure end. In this case, you need to retry the operation.
Additional question to ask, do you get the failure on one specific machine or all machines? Specific region?
Do you get the same failure when you use the existing vault?
If you still can provide information above, it's going to be helpful to narrow down the root cause.
I ran into this error as well today and I think it is is a Azure portal bug when enabling the Backup from the VM blade.
Instead, you can initiate a Backup from the "Recovery Services vaults" blade and add the VM to it.
I'm trying to create an Azure Logic App that uses a connector to ACI to run a container group. I was able to get it running correctly by creating a connector in the Logic App designer in the Azure Portal. However, the designer currently only supports connectors in the same resource group as the logic app. I would like to use a single connector for logic apps in multiple resource groups, so I need to use a connector from a different resource group. Logic Apps appear to support this just fine as long as you edit the code directly instead of using the visual designer. I am able to create the connector just fine, and the app is able to connect to it, however I am not able to authorize the connector properly. When I go to the connector and attempt to authorize it, the process works fine and it says that it is connected. However, when I then try to run the Logic App, I get the following error:
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/YYY/'. It must match the tenant 'https://sts.windows.net/XXX/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/XXX' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
XXX and YYY are two different tenant-ids. However, XXX is the tenant ID I get when I run az account show on my machine and in the Azure Cloud Shell. I only have one tenant ID and one subscription. I don't know where the other tenant ID is coming from, or how it is being used to authorize the connector when I am using the same login that is tenant ID XXX.
Is there any way I can successfully authorize the connector with my tenant ID?
I have created an ARM template for my logic app which has azure function reference in it.
By the time when I was deploying the logic app in my old subscription, I was able to deploy the ARM template using power shell successfully,
The problem started when I needed to deploy the app in different subscription.
While I deployed my logic app on different subscription which was pointing to the azure functions which still existed in my old subscription, I got this error.
{
"code": "LinkedAuthorizationFailed",
"message": "The client has permission to perform action 'Microsoft.Web/sites/functions/listSecrets/action' on scope '/subscriptions/(newsubscription Id)/resourcegroups/(new resourcegroup under new subscription)/providers/Microsoft.Logic/workflows/my-logic-app-name', however the current tenant '(tenent id of new subscription)' is not authorized to access linked subscription '(old subscription id)'."
}
Can anyone suggest how can I deal with this issue?
What I suspect is the new subscription needs to get access over old subscription for accessing azure function lying in there. What can be done in this case?
I'm sitting in a project where I will move from TFS to VSTS so we do have a working release definition.
But when I try deploying a service fabric cluster i get the following error:
2018-08-28T09:02:59.8922249Z ##[error]An error occurred attempting to acquire an Azure Active Directory token. Ensure that your service endpoint is configured properly with valid credentials. Error message: Exception calling "AcquireToken" with "3" argument(s): "AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '< service principle Id >'.
Trace ID: < guid1 is here >
Correlation ID: < guid2 is here >
Then I go to the azure portal -> AAD -> Sign In -> look up my specific sign in (based on correlation Id) and there it state that Sign-in status is Success
Considering this works for our TFS instance i assume the service principle is correctly set up. But since the build/deploy agents is now on a VM in azure instead of on prem for TFS, is there anything i need to change?
Traffic should be OK, i can navigate to the https-adress to the cluster from the VM with agents.
I've tried google it, but to no success so hopefully someone can point me to the right direction where to look.
And in portal, 'MFA is required' is no, so multi factor should not be neccesary.
Just try using certificate based authentication instead of using AAD Authentication in the service endpoint configuration.
Reference the same issue here: https://github.com/Microsoft/vsts-tasks/issues/7714
If that still not work, just try to create a new endpoint, then try it again.