Schedule start-up and shutdown of Azure VMs and the InvalidAuthenticationTokenTenant error

Azure like AWS can get pretty expensive, especially if you are using a big virtual machine with lots of RAM and CPUs. If you can’t go for a lower spec machine or a reserved instance, your next best bet is to turn the virtual machine off when you are not using it.

Note: If you are just looking to solve the “The access token is from the wrong issuer” error scroll down to “Correcting the InvalidAuthenticationTokenTenant error”

Turning Virtual Machine’s off on a schedule is quite easy, you’ve been able to do this for years with Auto-shutdown.

The auto shutdown blade on an Azure Virtual Machine

The problem is remembering to start the machine up the next morning when you need to use it.

This is where Automation Tasks comes in. They can be used to turn off your machine and turn it back on again. You can also use them to do a lot more.

They are available from your virtual machine in the Azure Portal. Select them and then click on Add task.

There are 4 templates to choose from here

We’re going to choose the Power Off VM task (its identical in layout to the Start VM task)

Here you will need to create a connection which is basically a login to your Azure environment. Clicking on create will ask you to connect to your Azure account, this part may produce an error when you run your task (more about this later). The same will happen when you click on Create for Office 365. This is so you can connect to your 365 account for sending emails for when the task is complete. After you have done this you can click on the next step.

Configuring your task

Configuring the task. I have set

  • Task Name – This is self explanatory (the name does not allow spaces)
  • Stop Time – I have set the task to run at 7pm
  • Timezone – This is the time zone you are in in my case this is GST
  • Interval – This is how often you want to run the task in my case I have selected 1
  • Frequency – I have selected daily
  • Notify Me – This will notify me with the email address below when the task is complete.

So basically I have set my task to reoccur once a day at 7pm.

Click next and you can review the task before clicking create

After your task has been created it will appear in a list

The next step is to repeat the same process again for a start-up task by clicking on “Add a task” and selecting “Start Virtual Machine” as your template. All you need to do now is enter the time you wish your virtual machine to start-up in the morning. In this case I have selected the next day and 8am in the morning.

But… we’re not done yet!

Correcting the InvalidAuthenticationTokenTenant error

Depending on your setup, if you don’t carry out this step you might get the following error when your task tries to run.

{
  "error": {
    "code": "InvalidAuthenticationTokenTenant",
    "message": "The access token is from the wrong issuer 'https://sts.windows.net/X8cdef3XXXX/'. It must match the tenant 'https://sts.windows.net/Xbe5b03XXXX/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/Xbe5b03XXXX' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
  }
}

I believe this usually happens when the account you use with Azure is used in more than one Tenant and the wizard in the previous tutorial just selects the default or first tenant it finds.

Took me a while to figure this one out. To correct it go back to the Tasks blade of your Virtual Machine

Next to one of your scheduled tasks select the 3 dot menu option and from the drop down menu select “Open in Logic Apps”.

This will open the Logic Apps Designer. Expand the “Start virtual machine” operation, depending on which one you are editing this may be called “Power off virtual machine”. Click on the “Change connection” link at the bottom (see image).

Click on “Add new” in the dialogue box that appears.

Now select the Tenant you wish to use and select “Sign in”. In my case I selected the tenant the user account and my VM was in. This will provide a login box for you to sign in with an account. In this instance it was the account I used to sign into the Azure Portal with. This will ensure the correct tenant and user account is used together and hopefully avoid the above error. After you are done hit the Save button in the logic app designer window (top left hand corner of your screen).

You can also test if your task will run correctly by running it directly from the Logic App Designer by clicking the “Run Trigger” button and then selecting “Run”.


Microsoft Entra, check your Sign-in logs for SMTP Auth

If you’ve had your Microsoft 365 account for a while, you may have had SMTP Auth enabled by default. Most email clients no longer need SMTP Auth enabled, disabling it can also reduce your attack surface significantly. I have seen audit logs in Microsoft Entra tenants where there are relentless attacks via SMTP Auth regardless of if you have Multifactor Authentication methods setup.

You can check these by going to Microsoft Entra Admin Center selecting Users>Sign-in logs and filtering by Failure. In the columns option add “Client App” so you can see which client this failed on. If you see SMTP, you know this is being used as an attack vector.

Image showing Entra user admin page with sign-in logs screen. demonstrating how to add more columns and filter by failed requests.

You can block SMTP Auth on individual user accounts from the Microsoft 365 Admin Centre. Select Users > Active users select the user select the Mail tab and then Manage email apps.

Shows a list of email apps that can be disabled on a users account in Microsoft 365

Or if you are sure you no longer need SMTP in your organisation (ie think printers that email scans to you), you can turn off SMTP Auth for your organisation all together in the Exchange admin center under Settings > Mail flow settings. You will find “Turn off SMTP AUTH protocol for your organisation” under the Security heading.

You can read more about the Depreciation of Basic Authentication in Exchange Online here https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online


DasBlog logo with arrow to WordPress logo

Migrating from DasBlog to WordPress

The Ripple Rock blogs have been on DasBlog for a long time. It was a great blog engine in its time with a small footprint because it stored all of its data in XML and didn’t need a database. However things have changed and we finally decided to take the plunge and move over to Word Press.

TL;DR? Scroll down to How to do it

The Journey

I had initially thought the migration would be a simple process. There are several tech people out there with blog articles on how they transitioned from DasBlog to WordPress. There were even plugins that would import the XML files that DasBlog uses into WordPress and preserve all the legacy content. However many of those articles were written several years ago and one of the plugins for importing that content from DasBlog no longer works.

I spent ages looking at various solutions that would work and with many I hit brick walls where certain plugins were not supported or just didn’t work as technology had moved on, or the site that hosted them had long since disappeared!

Eventually I realised I couldn’t export directly from DasBlog to WordPress I had to export from DasBlog to a format that was still supported by WordPress and that format was BlogML!

I discovered a DasBlog to BlogML Converter on Merill Fernando’s site. He had made a GUI wrapper for the converter which was originally made by Paul Van Brenk. Unfortunately the link to this converter which was hosted on a Microsoft site no longer worked. However Shital Shah kindly made the application available from his git hub repo found here.

Finally I was able to export my blog from DasBlog to BlogML!

Next I needed a BlogML to WordPress WRX converter.

I discovered a BlogML importer created by Saravana using some of the source code from the legacy blog migrator project which sadly no longer appears to exist anymore. Saravana created this code back in 2012, I then discovered another chap Michael Freidgeim who took the source code and made some improvements to it, such as logging and fixing the importing of comments. You can see the repo he made for it over here.

Michaels code worked like a charm, however on importing a large DasBlog into WordPress I ran into some issues where WordPress kept on repeating the same article over and over again. I wasn’t sure what was to blame here and I spent ages looking on WordPress forum’s about the issue. Several people had encountered this issue but there never really seemed to be a solution to the issue. So I decided to look into the PHP code myself to try and workout what was going on. To be clear, I am not a PHP coder I mainly code in C#.

But what I discovered made perfect sense. My SQL which is what WordPress uses as its database can support some pretty high integer numbers and in theory when people share details about how many articles WordPress can support they post some high numbers. The problem is My SQL can support those high numbers but WordPress was basically taking the post id number from MySQL and converting it to an int. An int in PHP can only support a number no greater than 2147483647. If you try to cast an into any higher than that number PHP will just convert it back to 2147483647 which was the post id of the article I kept on seeing duplicates of.

What had happened was the BlogML importer had kept the GUID’s that DasBlog used for its postid’s when I had imported this into WordPress, it had just attempted to convert these to integers but very high level integers. To get around the issue. I changed the BlogML to WRX code so instead of using the existing post id’s I got it to use a configurable identity seed which you can set yourself. This solved the issue for me. You can access the fork of the repository here which has my changes.

How to do it

Convert to BlogML

Convert your DasBlog to BlogML using the DasBlogML converter. The converter is pretty straight forward. You just need to point it to the root of your dasblog folder and it will do the rest.

Converting from BlogML to WordPress WRX

Convert the BlogML to WordPress WRX format using the converter found here. (Don’t forget to use an identity seed for your postId’s )

Lets unpack a bit of whats happening on the command line here. I have put in my existing blog url and the target url where I am currently setting up my WordPress blog. I am also using the BlogPostIDSeed of 50. On a new WordPress blog this seems to be a safe number to me. If you are using content with an existing blog I’d look in your WordPress database just to be on the safe side. For more details on why I use a BlogPostIDSeed, please see the journey text above.

The above will create

  • [filename].wrx.Redirect.txt – This contains the redirect rules in .htaccess format from your old blog urls to your new so you can keep your SEO traffic. More on this later
  • [filename].wrx.SourceQA.txt – This is a list of source urls that were processed
  • [filename].wrx.TargetQA.txt – This is a list of their corresponding target urls
  • [filename].wrx.xml – This is the file that contains all of your blog articles.

Importing your WRX file into WordPress

Max WordPress File Upload

Before you get to this step, you will probably need to increase the size of the allowable upload size for files to WordPress to do this I made the change in my PHP.INI file. Depending on your hosting provider you’ll probably want to check which method is best for you. There is an article here

Importing

WordPress has an import menu from its tools men where you can select the import feature you want. In this case we are selecting the WordPress Importer

On this screen select the wrx.xml file you created in the previous step.

The importer should work. If you have problems with file sizes you will need to increase the max uploaded file size allowed

Redirects

Redirection

WordPress is going to change the urls of your blog articles. If search engines have your old blog article URL’s indexed, users are going to get 404 errors when visiting them. To prevent this we need to put some redirects in, I made use of a Word Press plugin called Redirection by John Godley. You can install this plugin from the WordPress plugins menu option. Install the plugin

Editing your Redirect Files

In one of our previous steps the BlogML converter creates a files called [filename].wrx.Redirect.txt . This file contains redirects you would usually see in the .htaccess file. if you are happy pasting these into your .htaccess file go ahead now. I wanted to use the redirection plugin so I could keep track of errors or any other redirect issues. However I ended up editing this file to simplify it for me. I wasn’t able to import it as it was for my purposes.

Step 1

I imported the file as a space separated file into Excel and I deleted the columns I didn’t want (see the image) I just wanted the Source URL and the Target URL

Step 2

I made all the URLs relative with a simple search and replace. You can see in the image I have done the first column. I also did this for the second column. I also replaced the .aspx$ to just be .aspx. After this I exported my file as a CSV file.

Step 3

I then imported my CSV file into the Redirect plugin we installed earlier in WordPress

You can now see I have all my redirects imported. All the legacy URL’s will now permanently 301 redirect to their Word Press URLs

Finishing Touches

If like me you made use of plugins to display your code. You may find your code looks a bit odd now.

The above code was formatted in a plugin for Windows Live Writer called Smart Content. The Word Press styles seem to throw this code out a bit, I found I needed to add a bit of CSS to correct that by selecting the Customize option (found at the top left of the page when logged in and on an article page) and then selecting Additional CSS.

If you are late to the migration party like I was, hopefully this article will be helpful to you.


“Update does not apply or is blocked by another condition on your computer” TFS Update 4

If you get the above error when installing TFS 2013 Update 4. You may find the following article useful.

http://blogs.msdn.com/b/heaths/archive/2014/05/23/update-does-not-apply-or-is-blocked-by-another-condition-on-your-computer.aspx

In my case I installed another program that required Update 4. In this case because it was a test machine I installed Visual Studio 2013 and Update 4 suddenly worked.