![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 42%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 23%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Hello Maxime Dousset,
Thank you for reaching out with this detailed information. The error message InvalidAuthenticationTokenTenant provides a very specific and helpful clue, indicating that the authentication token being used is from the wrong Azure Active Directory (AAD) tenant.
Based on the error details, the following troubleshooting steps should help you resolve the issue and successfully set up your automation task.
Solution / Troubleshooting Steps
- Re-authenticate with the Correct Tenant
- Edit the connection used by the Power off virtual machine action.
- Ensure it uses the authority URL matching the subscription’s tenant:
https://login.windows.net/5e28ae04-9985-436a-b5bf-2c2314bd2cd2 - If using an Automation Account, re-import the Run As connection or recreate the connection.
- Verify Tenant–Subscription Association
- In Azure Portal → Subscriptions → [Your Subscription] → Properties, check the Directory (Tenant) ID.
- Make sure your automation resource (Logic App or Automation Account) is in the same directory or granted cross-tenant permissions.
- Handle Recent Transfers
- If the subscription was recently transferred, wait 30–60 minutes for propagation, then retry.
- Use Managed Identity (Preferred)
- If possible, assign a System-assigned Managed Identity to your Logic App or Automation Account.
- Grant that identity the Contributor role on the VM’s resource group or subscription.
- Reconnect the “Power off virtual machine” action using the Managed Identity—this avoids hardcoding tenant tokens.
- Double-check Role Assignments
- Finally, ensure the service principal or identity you are using has the necessary permissions.
- Confirm that it has at least Contributor or Virtual Machine Contributor access on the virtual machine or the resource group where the VM resides.
Documentation & References:
- Troubleshoot “InvalidAuthenticationTokenTenant” error
- Move resources between tenants or subscriptions
- Use managed identity for Logic Apps
- Azure Automation Run As account authentication
If the above steps don’t resolve the issue, could you confirm:
- Whether the subscription was recently moved between tenants?
- Which authentication method your Logic App or Automation Account is currently using?
- Have you tried re-creating or re-authenticating the Azure Resource Manager connection?
This will help narrow down whether it’s a token mismatch or a tenant propagation delay.
I hope these steps help you get your automation task running smoothly. Please let me know if the problem persists, and we can investigate further. Thank you!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 51%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)