Forum Discussion
New-RdsAppGroup error
Hi,
I've deployed a host pool, and have no problem logging in and installing apps. Now I want to set up RemoteApp, but when I run:
New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupname -ResourceType "RemoteApp"
I get this error:
New-RdsAppGroup : User is not authorized to query the management service.
ActivityId: 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
At line:1 char:1
+ New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf....NewRdsAppGroup:NewRdsAppGroup) [New-RdsAppGroup], RdsPow
erShellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.AppGroup.NewRdsAppGroup
And running the suggested Get-RdsDiagnosticActivities returns the same error.
I'm running this as the global admin, who is also an RDS Owner. Appreciate any help... thanks!
- Christian_MontoyaMicrosoft
DavidMagrathSmith : Can you start by running "Get-RdsRoleAssignment" and specifying the tenant? Then with the tenant and host pool?
Also, it might just be that you left the PowerShell session open, in which case you need to log out and log back in to refresh your Azure AD token.
- DavidMagrathSmithCopper Contributor
Christian_Montoya Here's what I have for role assignments. The second one (the service principal) was never used because the host pool creation on the marketplace would always fail with the same "User is not authorized to query the management service" error. So I ended up creating the host pool with my UPN instead.
RoleAssignmentId : 302c9ef6-f57a-4be1-2187-08d751db72f6
Scope : /Default Tenant Group/Tenantname
TenantGroupName : Default Tenant Group
TenantName : Tenantname
DisplayName : Amy Sfakios
SignInName : amy@altaxprep.com
GroupObjectId : cb94329e-f164-446d-9108-8fab6a39f41d
AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
AppId : fa4345a4-a730-4230-84a8-7d9651b86739
RoleDefinitionName : RDS Owner
RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
ObjectId : d82af3d3-4e0c-400d-f5fc-08d750e946f0
ObjectType : User
Item :RoleAssignmentId : 35a5f471-3313-4797-c489-08d756666d7a
Scope : /Default Tenant Group/Tenantname/Hostpoolname
TenantGroupName : Default Tenant Group
TenantName : Tenantname
HostPoolName : Hostpoolname
DisplayName :
SignInName :
GroupObjectId : 00000000-0000-0000-0000-000000000000
AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
AppId : 7f1a85b3-49d1-4a06-a88c-da005bdb3b43
RoleDefinitionName : RDS Owner
RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
ObjectId : 09a7de92-caf2-48ad-06bb-08d75666623e
ObjectType : ServicePrincipal
Item :Maybe the problem is that the role assignment for my UPN is not scoped to the pool?
Thanks,
Dave
- Christian_MontoyaMicrosoft
DavidMagrathSmith : Did you get any further on this? Primarily, it's a little challenging to troubleshoot permissions/access without specific details. If you have official support through Azure, I'd recommend going that way and they might be able to get down to the root cause. Just a notice though: even if you have a Global Admin account, that does not automatically give you access to manage WVD.