Azure Logic App: Azure VM Connector - InvalidAuthenticationTokenTenant

Question

I'm try to use the Azure VM Connector to start and stop a Virtual Machine.

When I edit the Logic App it uses my User Id to authenticate (successfully).

However, my User Id is in a different Tenant than the VM. The Start Virtual Machine connector allows you to specify the SubscriptionId, ResourceGroup, and VM Name, but not the TenantId.

I get an Authorization (401) error (InvalidAuthenticationTokenTenant) when I try to run the Logic App. How can I specify the correct TenantId to get it working?

"error": { "code": "InvalidAuthenticationTokenTenant", "message": "The access token is from the wrong issuer 'https://sts.windows.net/a35caae4-15e1-4518-bd0f-c1fd0f22814c/'. It must match the tenant 'https://sts.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09b' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later." }

Answer 1

I solved the problem by doing 3 things:

1. Enable Managed Identities for the Logic App
2. Add a new role assignment in the VMs Access Control (IAM) section for the Logic App
3. Updated the Start virtual machine task in the Logic App to connect using the managed identity

The following link regarding Azure Functions to Start/Stop VMS provided the basic steps that I applied to the Azure Logic App(s) in my case.