Schedule start-up and shutdown of Azure VMs and the InvalidAuthenticationTokenTenant error

Azure like AWS can get pretty expensive, especially if you are using a big virtual machine with lots of RAM and CPUs. If you can’t go for a lower spec machine or a reserved instance, your next best bet is to turn the virtual machine off when you are not using it.

Note: If you are just looking to solve the “The access token is from the wrong issuer” error scroll down to “Correcting the InvalidAuthenticationTokenTenant error”

Turning Virtual Machine’s off on a schedule is quite easy, you’ve been able to do this for years with Auto-shutdown.

The auto shutdown blade on an Azure Virtual Machine

The problem is remembering to start the machine up the next morning when you need to use it.

This is where Automation Tasks comes in. They can be used to turn off your machine and turn it back on again. You can also use them to do a lot more.

They are available from your virtual machine in the Azure Portal. Select them and then click on Add task.

There are 4 templates to choose from here

We’re going to choose the Power Off VM task (its identical in layout to the Start VM task)

Here you will need to create a connection which is basically a login to your Azure environment. Clicking on create will ask you to connect to your Azure account, this part may produce an error when you run your task (more about this later). The same will happen when you click on Create for Office 365. This is so you can connect to your 365 account for sending emails for when the task is complete. After you have done this you can click on the next step.

Configuring your task

Configuring the task. I have set

  • Task Name – This is self explanatory (the name does not allow spaces)
  • Stop Time – I have set the task to run at 7pm
  • Timezone – This is the time zone you are in in my case this is GST
  • Interval – This is how often you want to run the task in my case I have selected 1
  • Frequency – I have selected daily
  • Notify Me – This will notify me with the email address below when the task is complete.

So basically I have set my task to reoccur once a day at 7pm.

Click next and you can review the task before clicking create

After your task has been created it will appear in a list

The next step is to repeat the same process again for a start-up task by clicking on “Add a task” and selecting “Start Virtual Machine” as your template. All you need to do now is enter the time you wish your virtual machine to start-up in the morning. In this case I have selected the next day and 8am in the morning.

But… we’re not done yet!

Correcting the InvalidAuthenticationTokenTenant error

Depending on your setup, if you don’t carry out this step you might get the following error when your task tries to run.

  "error": {
    "code": "InvalidAuthenticationTokenTenant",
    "message": "The access token is from the wrong issuer ''. It must match the tenant '' associated with this subscription. Please use the authority (URL) '' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."

I believe this usually happens when the account you use with Azure is used in more than one Tenant and the wizard in the previous tutorial just selects the default or first tenant it finds.

Took me a while to figure this one out. To correct it go back to the Tasks blade of your Virtual Machine

Next to one of your scheduled tasks select the 3 dot menu option and from the drop down menu select “Open in Logic Apps”.

This will open the Logic Apps Designer. Expand the “Start virtual machine” operation, depending on which one you are editing this may be called “Power off virtual machine”. Click on the “Change connection” link at the bottom (see image).

Click on “Add new” in the dialogue box that appears.

Now select the Tenant you wish to use and select “Sign in”. In my case I selected the tenant the user account and my VM was in. This will provide a login box for you to sign in with an account. In this instance it was the account I used to sign into the Azure Portal with. This will ensure the correct tenant and user account is used together and hopefully avoid the above error. After you are done hit the Save button in the logic app designer window (top left hand corner of your screen).

You can also test if your task will run correctly by running it directly from the Logic App Designer by clicking the “Run Trigger” button and then selecting “Run”.