Forum Discussion
Error: User is not authorized to query the management service
Hi andrewstollery, Thanks and welcome. What is the result of this command?
Get-RdsRoleAssignment
You should set something like this.
Especially, the appid must be the same as the app you created earlier:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname
That AppID must be the same as the app you visited in the Azure Portal, creating te new key and used during the deployment of the Azure Marketplace WVD template.
And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.
Erjen Rijnders wrote:And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.
Do you have any pointers to this? I have not seen this mentioned anywhere else, and I am not satisfied with having a local AD user have owner rights on a subscription.
For other reasons I am going to remove my WVD setup and start over, and I want to be sure to do every little bit right this time :-)
Thanks!
- Christian_Montoya
Microsoft
Erjen Rijnders : The permission to retrieve and run DSC is authorized when you run the template. Afterwards, as long as the VM can reach out and download the DSC package, it will run it (not exactly sure if it runs in the context of the local admin or the Azure VM Agent).
Erjen Rijnders @christianmontoya
My hostpool succeeded, domain joining with a local AD user (not AAD sync'ed) with no permissions but joining computers to my local AD. Exactly the behaviour I was hoping for.
I cannot tell about the PS DSC question, but all lights are green and I take that as a good sign.
Christian_Montoya then how is it able to push PowerShell DSC commands? You need permissions on your Azure tenant.
- Christian_Montoya
Oletho : The local AD user that will domain-join the VMs does not need to have any Azure permissions (my test tenant certainly does not).
Oletho I think it was in the Microsoft docs at first but not sure. But at least you can try it for testing purposes en take away the permissions later. The deployment of WVD won't tell you if you have not enough permissions on your subscription. But I think the "Virtual Machine Contributor" role should work too.
