Azure Automation Fails with “AADSTS50055: Password is expired.”
A while back I posted on how to set up Azure Automation to ensure your VMs get shut down if you accidentally leave them running. Very important for those of us with MSDN accounts that need to preserve Azure credits.
A few days ago when starting the runbook manually I noticed that it had no effect and my VMs didn't shut down. On investigation from the Azure Portal (Automation > $(AutomationAccount) > Runbooks > $(Runbook) > Jobs > $(CompletedJobThatIsFailing) > History) I saw that the job was throwing an exception:
Add-AzureAccount : AADSTS70002: Error validating credentials. AADSTS50055: Password is expired.
Trace ID: 4f7030e5-5d95-4c91-8b64-606231e3b056
Correlation ID: 7c2eb266-bf31-45ec-bb72-2677badd8ad3
Timestamp: 2015-01-22 00:32:53Z: The remote server returned an error: (401) Unauthorized.
At Stop-AzureVMExceptDomainController:5 char:5
+ CategoryInfo : CloseError: (:) [Add-AzureAccount], AadAuthenticationFailedException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.AddAzureAccount
So, the password on the automation account must have expired. I went through the procedure of resetting it following the original instructions for creating the automation account here and sure enough everything sprung to life again.
Two things are troublesome about all this: Firstly I had no idea that my password expired and secondly I don't want it to expire. It seems that if you don't do anything passwords will expire after 90 days. You can fix this using PowerShell but there are one or two hoops:
- Install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW.
- Install the Azure Active Directory Module for Windows PowerShell (64-bit version).
- Import the AD module using the import-module MSOnline command in PowerShell.
- Connect to Azure AD and change the automation account so the password doesn't expire using the following code:
PowerShell123456Select-AzureSubscription $YourSubscriptionNameHere$msolcred = get-credentialconnect-msolservice -credential $msolcredSet-MsolUser -UserPrincipalName $AccountNameYouWantToChange -PasswordNeverExpires $true
- The code above prompts you to supply credentials. However, for me my Microsoft account didn't work -- just kept causing an exception. I had to use a Windows Azure Active Directory account and ended up creating a new account with the Global Administrator role. Looking back I might have been able to give the automation account I was trying to change the Global Administrator role rather than create a new one -- feel free to try this first.
- If you want to check the password expiry status of an Azure AD account use this code:
PowerShell1Get-MSOLUser -UserPrincipalName $AccountNameYouWantToChange | Select PasswordNeverExpires
With the expiry taken care of it's time to wonder if there is some notification scheme in place for this. I noticed in my authentication account that I hadn't set an alternate email address. I have now but of course it's too late to know if that's the notification route. One for the forums I think...
Cheers -- Graham