Unable to upgrade AKS cluster due to InvalidAuthenticationTokenTenant for VNet

Info Babakom 0 Reputation points

Hi, we have a Kubernetes cluster which was down for 2 months due to non payment. Now we have made the payment but the cluster is in Failed (Running) state because the kubernetes version of control plane is 1.26.6 which is not supported any more by Azure. I found on the internet that I need to reconcile the cluster through command line. So I tried both az aks update and az aks upgrade but I am getting below error:

(GetVnetError) Get virtual network failed. Subscription: 5e517657-22a3-4373-bab6-7d6eefb2d3e8; resource group: MC_Babakom_babakomProduction_uaenorth; virtual network name: aks-vnet-32955649. autorest/azure: Service returned an error. Status=401 Code="InvalidAuthenticationTokenTenant" Message="The access token is from the wrong issuer 'https://sts.windows.net/1f79a1b9-878e-4371-ac4b-eb4841b3ef44/'. It must match the tenant 'https://sts.windows.net/1c9201a3-5c16-4e36-ab5f-6b09d6421ecd/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/1c9201a3-5c16-4e36-ab5f-6b09d6421ecd' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."

I found that the virtual network aks-vnet-32955649 is in another resource group, that might be causing the issue so I moved it to the same resource group as the cluster. Even after more than a week I am getting the same error.

I rechecked aks-vnet-32955649 does not belong to group MC_Babakom_babakomProduction_uaenorth but still getting this error.

Can any one help in this regards?


Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,975 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Ammar-Abdelqader01 1,156 Reputation points Microsoft Employee

    Hello @Info Babakom

    Thank you for your question, did you reconcile the AKS cluster once you moved the VNET to the correct RG ?

    az aks update -n <myAKSCluster> -g <myResourceGroup>


    If this has been helpful, please take a moment to accept answers as this helps increase the visibility of this question for other members of the Microsoft Q&A community. Thank you for helping to improve Microsoft Q&A!

    User's image

  2. AlaaBarqawi_MSFT 942 Reputation points Microsoft Employee

    Just asking was there any migration for AKS to another tenant ?

    if AKS cluster using servicePrincipal ; can you try to update the service principal for the AKS cluster?


    az ad sp create-for-rbac --role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID

    az aks update-credentials \ --resource-group $RESOURCE_GROUP_NAME \ --name $CLUSTER_NAME \ --reset-service-principal \ --service-principal "$SP_ID" \ --client-secret "${SP_SECRET}"