Forum Discussion

DavidMagrathSmith's avatar
DavidMagrathSmith
Copper Contributor
Oct 28, 2019

New-RdsAppGroup error

Hi,

 

I've deployed a host pool, and have no problem logging in and installing apps.  Now I want to set up RemoteApp, but when I run:

 

New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupname -ResourceType "RemoteApp"

 

I get this error:

 

New-RdsAppGroup : User is not authorized to query the management service.
ActivityId: 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
At line:1 char:1
+ New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf....NewRdsAppGroup:NewRdsAppGroup) [New-RdsAppGroup], RdsPow
erShellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.AppGroup.NewRdsAppGroup

 

And running the suggested Get-RdsDiagnosticActivities returns the same error.

 

I'm running this as the global admin, who is also an RDS Owner.  Appreciate any help... thanks!

  • DavidMagrathSmith : Can you start by running "Get-RdsRoleAssignment" and specifying the tenant? Then with the tenant and host pool?

     

    Also, it might just be that you left the PowerShell session open, in which case you need to log out and log back in to refresh your Azure AD token.

    • DavidMagrathSmith's avatar
      DavidMagrathSmith
      Copper Contributor

      Christian_Montoya Here's what I have for role assignments.  The second one (the service principal) was never used because the host pool creation on the marketplace would always fail with the same "User is not authorized to query the management service" error.  So I ended up creating the host pool with my UPN instead.

       

      RoleAssignmentId : 302c9ef6-f57a-4be1-2187-08d751db72f6
      Scope : /Default Tenant Group/Tenantname
      TenantGroupName : Default Tenant Group
      TenantName : Tenantname
      DisplayName : Amy Sfakios
      SignInName : amy@altaxprep.com
      GroupObjectId : cb94329e-f164-446d-9108-8fab6a39f41d
      AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
      AppId : fa4345a4-a730-4230-84a8-7d9651b86739
      RoleDefinitionName : RDS Owner
      RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
      ObjectId : d82af3d3-4e0c-400d-f5fc-08d750e946f0
      ObjectType : User
      Item :

       

      RoleAssignmentId : 35a5f471-3313-4797-c489-08d756666d7a
      Scope : /Default Tenant Group/Tenantname/Hostpoolname
      TenantGroupName : Default Tenant Group
      TenantName : Tenantname
      HostPoolName : Hostpoolname
      DisplayName :
      SignInName :
      GroupObjectId : 00000000-0000-0000-0000-000000000000
      AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
      AppId : 7f1a85b3-49d1-4a06-a88c-da005bdb3b43
      RoleDefinitionName : RDS Owner
      RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
      ObjectId : 09a7de92-caf2-48ad-06bb-08d75666623e
      ObjectType : ServicePrincipal
      Item :

       

      Maybe the problem is that the role assignment for my UPN is not scoped to the pool?

       

      Thanks,

      Dave

      • Christian_Montoya's avatar
        Christian_Montoya
        Icon for Microsoft rankMicrosoft

        DavidMagrathSmith : Did you get any further on this? Primarily, it's a little challenging to troubleshoot permissions/access without specific details. If you have official support through Azure, I'd recommend going that way and they might be able to get down to the root cause. Just a notice though: even if you have a Global Admin account, that does not automatically give you access to manage WVD.

Resources