Home

Error: User is not authorized to query the management service

%3CLINGO-SUB%20id%3D%22lingo-sub-388955%22%20slang%3D%22en-US%22%3EError%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388955%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20following%20the%20directions%20below%2C%20I%20always%20run%20into%20an%20error%20related%20to%20querying%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EError%20message%20from%20the%20Azure%20portal%3A%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20logged%20in%20as%20a%20user%20that%20in%20the%20global%20admin%20role%20in%20Azure%20AD%2C%20and%20it's%20also%20a%20user%20in%20the%20Windows%20Virtual%20Desktop%20enterprise%20application.%26nbsp%3B%20I've%20consented%20to%20the%20graph%20and%20Azure%20AD%20permissions%20under%20the%20enterprise%20app%20as%20well%2C%20any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394531%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394531%22%20slang%3D%22en-US%22%3EMaybe%20it%20helps%20someone%20getting%20WVD%20up%20and%20running%3A%20%3CA%20href%3D%22https%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%3C%2FA%3E%20Using%20the%20service%20principal%20with%20the%20correct%20permissions%20worked%20for%20me.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391007%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391007%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20I%20definitely%20support%20the%20last%20message%2C%20that%20one%20of%20our%20goals%20is%20to%20have%20all%20of%20this%20functionality%20straight%20from%20the%20Azure%20portal%2C%20without%20having%20to%20hop%20around%20everywhere.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20all%20of%20the%20feedback%2C%20and%20keep%20it%20coming!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390256%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Just%20to%20clarify%2C%20the%20%22tenant%20group%22%20name%20should%20always%20be%20%22Default%20Tenant%20Group%22.%20Only%20in%20very%20few%20circumstances%20does%20this%20change.%20But%20yes%2C%20you%20always%20need%20to%20provide%20the%20same%20%22tenant%22%20name%20everywhere%20you%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390175%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390175%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20work%20around%20this%20issue.%26nbsp%3B%20Here%20is%20what%20I%20noted%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Regardless%20of%20account%2C%20you%20don't%20seem%20to%20be%20able%20to%20delete%20existing%20tenant%20groups%20once%20their%20created%20using%20the%20Remove-RdsTenant%20account.%26nbsp%3B%20I%20always%20get%20the%20%22user%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20error%20no%20matter%20what%20I%20do.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Also%2C%20one%20of%20the%20steps%20I%20may%20have%20missed%20the%20first%20time%20is%20that%20the%20tenant%20group%20name%20you%20create%20via%20PowerShell%20has%20to%20match%20to%20what%20you%20create%20via%20the%20Azure%20portal.%26nbsp%3B%20After%20creating%20a%20new%20tenant%20group%20in%20Powershell%20separate%20from%20the%20default%20one%2C%20it%20worked%20when%20I%20referenced%20the%20new%20tenant%20group%20name%20in%20the%20Azure%20portal.%26nbsp%3B%20Hopefully%20at%20some%20point%2C%20Microsoft%20will%20have%20an%20end-to-end%20solution%20for%20creating%20the%20tenant%2C%20tenant%20group%20name%2C%20and%20host%20pool%20all%20within%20the%20portal.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389534%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389534%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20checked%20those%20steps%20again%20and%20I'm%20still%20not%20sure%20what%20I'm%20missing.%26nbsp%3B%20I%20reproduced%20the%20error%20outside%20of%20the%20template%20in%20PowerShell%20by%20doing%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Created%20a%20new%20user%20account%20in%20Azure%20AD%20and%20put%20it%20in%20the%20TenantCreator%20role%20for%20Windows%20Virtual%20Desktop.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Opened%20PowerShell%20as%20an%20admin%2C%20and%20added%20%2F%20logged%20into%20the%20account%20above%20using%20Add-RdsAccount%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20Attempted%20to%20call%20Remove-RdsTenant%20as%20part%20of%20clean%20up%20to%20try%20and%20see%20if%20I%20could%20execute%20the%20template%20from%20scratch%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20857px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100276i61575B333C2ECC9E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20title%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389532%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue%20too%20after%20following%20the%20instructions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BNew-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20-AzureSubscriptionId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%3CBR%20%2F%3ENew-RdsTenant%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3CBR%20%2F%3EActivityId%3A%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx%3CBR%20%2F%3EPowershell%20commands%20to%20diagnose%20the%20failure%3A%3CBR%20%2F%3EGet-RdsDiagnosticActivities%20-ActivityId%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxx%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20New-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20FromStdErr%3A%20(Microsoft.RDInf...nt.NewRdsTenant%3ANewRdsTenant)%20%5BNew-RdsTenant%5D%2C%20RdsPowerSh%3CBR%20%2F%3EellException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20UnauthorizedAccess%2CMicrosoft.RDInfra.RDPowershell.Tenant.NewRdsTenant%3CBR%20%2F%3EFollowed%20the%20guide%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%3C%2FP%3E%3CP%3ETurned%20off%20MFA%20for%20the%20account.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGranted%20permissions%20for%20client%20and%20server%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EGranted%20permissions%20here%20for%20Virtual%20desktop%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faad.portal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faad.portal.azure.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389502%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389502%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F28489%22%20target%3D%22_blank%22%3E%40Patrick%20F%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172194%22%20target%3D%22_blank%22%3E%40Seth%20Zwicker%3C%2FA%3E%26nbsp%3B%3A%20The%20reason%20you%20see%20the%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20from%20the%20DSC%20extension%20is%20because%20the%20user%20who%20you%20provided%20in%20the%20last%20blade%20(where%20you%20also%20defined%20your%20Windows%20Virtual%20Desktop%20tenant%20name)%20does%20not%20have%20permissions%20in%20the%20tenant%20that%20you%20specified.%20A%20couple%20things%20you%20can%20check%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDid%20you%20create%20a%20tenant%20from%20these%20steps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%26nbsp%3B%3F%3C%2FLI%3E%0A%3CLI%3ECan%20you%20login%20to%20Windows%20Virtual%20Desktop%20with%20the%20username%20you%20provided%20in%20the%20last%20blade%20of%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E%2C%20and%20does%20it%20require%20MFA%20to%20login%3F%20If%20that%20account%20does%20require%20MFA%2C%20it%20will%20not%20work%20when%20running%20as%20part%20of%20the%20script%20because%20there's%20no%20UI%20to%20prompt%20you%20for%20that%20second%20factor.%3C%2FLI%3E%0A%3CLI%3EAfter%20logging%20in%20with%20that%20user%20account%2C%20can%20you%20run%20%22Get-RdsTenant%22%20to%20make%20sure%20that%20same%20Windows%20Virtual%20Desktop%20tenant%20shows%20appears%3F%3C%2FLI%3E%0A%3CLI%3EDouble%2Ftriple%20check%20that%20you%20entered%20the%20right%20values%20in%20the%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E.%20For%20the%20most%20part%2C%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20group%20name%3C%2FSTRONG%3E%20should%20remain%20as%20%22Default%20Tenant%20Group%22%20and%20make%20sure%20to%20enter%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20name%3C%2FSTRONG%3E%20you%20created%20earlier%2C%20not%20a%20new%20one.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThanks%20for%20testing%20and%20your%20patience%20here.%20We're%20compiling%20this%20same%20information%20and%20generating%20a%20Troubleshooting%20guide%20that%20hopefully%20should%20help%20you%20get%20unblocked%20yourself!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389290%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389290%22%20slang%3D%22en-US%22%3ECould%20this%20be%20my%20problem%3F%20The%20instructions%20point%20to%20infrastructure%20requirements%20which%20says%20it%20needs%20the%20following%20things.....%3CBR%20%2F%3E-An%20Azure%20Active%20Directory%3CBR%20%2F%3E-A%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%3CBR%20%2F%3E-An%20Azure%20subscription%2C%20containing%20a%20virtual%20network%20that%20either%20contains%20or%20is%20connected%20to%20the%20Windows%20Server%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20have%20a%20local%20ad%20synced%20to%20azure%20ad.%20I%20only%20have%20azure%20ad.%3CBR%20%2F%3EThe%20instructions%20seems%20to%20refer%20that%20you%20need%20all%20of%20it.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389180%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389180%22%20slang%3D%22en-US%22%3EI'm%20getting%20the%20exact%20same%20thing.%20Any%20news%20or%20updates%20on%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389127%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389127%22%20slang%3D%22en-US%22%3EI%20have%20the%20same%20problem.%20Does%20anyone%20have%20some%20ideas%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bfirstly%20thank%20you%20for%20pulling%20together%20that%20post%20and%20the%20associated%20PowerShell.%20It%20certainly%20makes%20the%20first%20steps%20for%20setting%20up%20WVD%20easier.%20However%2C%20my%20efforts%20in%20this%20are%20still%20failing%20on%20that%20last%20step%20in%20the%20Azure%20deployment%20%2Fdscextension%20with%20the%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FSPAN%3Efailed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20exactly%20what%20the%20step%20is%20doing%3F%20I've%20remoted%20on%20to%20the%20VM%20which%20gets%20created%20and%20tired%20trawling%20through%20the%20event%20logs%20but%20there%20are%20no%20more%20details.%20I%20have%20also%20tried%20using%20just%20a%20UPN%20rather%20than%20your%20suggestion%20of%20service%20principle.%20It%20is%20a%20real%20head%20scratcher!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20going%20to%20go%20off%20and%20create%20a%20brand%20new%20AAD%20tenant%20and%20AAD%20DS%20resource%20just%20to%20rule%20out%20anything%20related%20to%20our%20existing%20corporate%20AAD%20tenant.%20Wish%20me%20luck%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426876%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426876%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20Thanks%20and%20welcome.%20What%20is%20the%20result%20of%20this%20command%3F%3CBR%20%2F%3EGet-RdsRoleAssignment%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20set%20something%20like%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107547iF5D2043B8BCA6EFF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22rdsowner.jpg%22%20title%3D%22rdsowner.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEspecially%2C%20the%20appid%20must%20be%20the%20same%20as%20the%20app%20you%20created%20earlier%3A%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20AppID%20must%20be%20the%20same%20as%20the%20app%20you%20visited%20in%20the%20Azure%20Portal%2C%20creating%20te%20new%20key%20and%20used%20during%20the%20deployment%20of%20the%20Azure%20Marketplace%20WVD%20template.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427067%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20i%20am%20also%20have%20the%20same%20issue%20i%20followed%20both%20the%20microsoft%20guide%20and%20Erjen%20guild%20and%20failing%20on%20the%26nbsp%3B%3CSPAN%3EDSCextension.%20I%20am%20thinking%20the%20problem%20is%20with%26nbsp%3BAADDS.%20Has%20anyone%20made%20it%20work%20with%20AADDS%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CP%20class%3D%221554901958191%22%3Ethanks%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427093%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%20I%20have%20not%20tested%20with%20AAD%20DS%2C%20but%20from%20what%20I%20know%2C%20in%20the%20preview%20version%20you%20need%20a%20working%20AD%20Connect%2C%20meaning%20that%20you%20can%20only%20use%20an%20onprem%20AD.%20I%20hope%20they%20remove%20it%20from%20the%20production%20version.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427249%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20for%20the%20prompt%20reply.%20Given%20the%20number%20of%20times%20I've%20run%20this%20now%2C%20I%20actually%20get%205%20RoleAssigmentIds%20returned...oops.%20How%20do%20I%20tidy%20those%20up%3F%20Using%20Remove-RdsRoleAssigment%20I%20guess%3F%20I'll%20have%20a%20crack%20at%20that%20later...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20one%20in%20the%20list%20though%20is%20the%20correct%20one%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107550iE91E6533EF929A01%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20title%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20the%20only%20difference%20for%20me%20is%20that%20I%20am%20using%20AAD%20DS%20too%2C%20which%20you%20stated%20below%20is%20not%20supported.%20I'm%20not%20sure%20why%20not%3F%20I%20can%20get%20the%20VM%20to%20join%20the%20AAD%20DS%20domain.%20It%20is%20the%20DSCextension%20step%20which%20fails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyhow%2C%20I'll%20do%20some%20tidying%20up%20and%20also%20keep%20progressing%20with%20my%20greenfield%20AAD%2C%20AAD%20DS%20and%20WVD%20deployment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427506%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20you%20did%20create%20a%20new%20key%20within%20that%20app%20from%20the%20Azure%20Portal%20right%3F%20And%20you%20used%20that%20key%20during%20deployment%20on%20step%204%3F%3C%2FP%3E%3CP%3EAnd%20the%20user%20you%20are%20using%20deploying%20the%20VM's%2C%20does%20have%20owner%20rights%20on%20the%20Azure%20Subscription%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20agree%20it%20should%20work%2C%20however%20with%20AAD%20DS%20you%20don't%20have%20access%20to%20the%20RPC-service.%20So%20that%20could%20be%20the%20reason%20it%20doesn't%20work.%20But%20still%20curious%20if%20you%20checked%20the%20points%20I%20just%20mentioned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427717%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20pretty%20sure%20the%20issue%20is%20AADDS.%20I%20think%20i%20will%20set%20up%20a%20VM%20for%20active%20directory%20and%20link%20it%20to%20AADDS%20and%20see%20if%20that%20corrrects%20my%20issue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427812%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427812%22%20slang%3D%22en-US%22%3EHi%20Erjen%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20my%20friend%2C%20I%20created%20my%20service%20principles%20key%20and%20used%20that.%20I%20listened%20to%20everything%20you%20wrote%2C%20you%20know%20what%20you%20are%20doing%20so%20I%20didn't%20want%20to%20assume%20anything%20%3A).%20I%20also%20doubled%20checked%20the%20VM%20deployment%20user%20is%20Owner%20on%20the%20subscription%20and%20it%20is.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20really%20appreciate%20your%20help%20with%20this%2C%20thank%20you%20for%20replying.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428060%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428060%22%20slang%3D%22en-US%22%3EAlright%2C%20than%20it%20must%20be%20the%20AAD%20DS%20limitation%20indeed..%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428796%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428796%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20inclined%20to%20agree%20now.%20I've%20finished%20a%20completely%20new%20setup%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAAD%20Tenant%3C%2FLI%3E%3CLI%3EAAD%20DS%20Resource%3C%2FLI%3E%3CLI%3EFollowed%20Erjen's%20excellent%20deployment%20steps%20for%20WVD%3C%2FLI%3E%3C%2FUL%3E%3CP%3EDeployment%20fails%20at%20the%20%2Fdcsextension%26nbsp%3Bstep%20every%20time%20with%20the%20error%20%22%3CSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20the%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20still%20not%20sure%20I%20understand%20why%20WVD%20requires%20a%20full-blown%20ADDS%20domain%20controller%20to%20work%3F%20Perhaps%20a%20Microsoft%20representative%20can%20shed%20some%20light%20on%20this%3F%20Anyway%2C%20just%20like%20you%2C%20I%20am%20not%20prepared%20to%20give%20up!%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENext%20step%20is%20to%20deploy%20an%20IaaS%20ADDS%20VM%20and%20use%20AAD%20Connect%20to%20sync%20up%20to%20AAD%20and%20then%20run%20the%20WVD%20setup%20again...watch%20this%20space!%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428869%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428869%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20Microsoft%20Document%3C%2FP%3E%3CP%3E%3CSPAN%3EA%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%20This%20can%20be%20enabled%20through%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3EAzure%20AD%20Domain%20Services%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20am%20trying%20to%20see%20how%20that%20works%20I%20didn't%20know%20you%20can%20create%20a%20new%20Windows%20Server%20Active%20Directory%20and%20sync%20with%20AADDS.%20I%20have%20always%20used%20AD%20Connect.%20Unless%20i%20am%20misunderstanding%20the%20requirements%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429027%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429027%22%20slang%3D%22en-US%22%3EYeah%2C%20I%20was%20after%20the%20why%3F%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429482%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429482%22%20slang%3D%22en-US%22%3EMaybe%20check%20if%20there%20is%20a%20conditional%20access%20policy%20applying%20to%20the%20admin%20account%20you%20specified%20in%20the%20deployment%20steps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429865%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%20%3A%20Yes%2C%20you%20would%20always%20use%20Azure%20AD%20Connect%20to%20synchronize%20your%20Windows%20Server%20AD%20up%20to%20Azure%20AD.%20However%2C%20if%20you%20are%20a%20cloud%20organization%20and%20have%20no%20Windows%20Server%20AD%2C%20then%20you%20can%20use%20Azure%20AD%20Domain%20Services%20to%20create%20a%20managed%20Windows%20Server%20AD%20on%20the%20virtual%20network%20that%20would%20have%20the%20same%20users%20as%20your%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20intent%20was%20that%20these%20are%20each%20mechanisms%20that%20will%20allow%20the%20users%20to%20be%20recognized%20both%20%22in%20the%20cloud%22%20and%20%22on-prem%22.%20We%20can%20change%20the%20wording%20to%20make%20that%20more%20clear.%20Open%20to%20suggestions!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429962%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429962%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eok%20so%20i%20got%20it%20to%20work%20with%20only%20AADDS%20i%20followed%20this%20guide.%20I%20think%20my%20issue%20was%20the%20users%20i%20was%20putting%20to%20allowe.%20I%20left%20it%20blank%20this%20time%20and%20it%20worked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430513%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430513%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20having%20many%20of%20the%20same%20issues%20covered%20in%20this%20thread%20trying%20to%20deploy%20Windows%20Virtual%20Desktop%20Preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20followed%20all%20of%20the%20directions%20linked%20in%20this%20thread%2C%20including%20Erjen's%20very%20useful%20blog%20post%20and%20I%20am%20still%20getting%20the%20dreaded%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20failure%20during%20the%20DSCExtension%20part%20of%20the%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20user%20is%20a%20subscription%20owner%2C%20I%20have%20my%20regular%20AD%20synced%20with%20AAD%20complete%20with%20password%20hash%20sync%2C%20I%20created%20Service%20Principles%20with%20RDS%20Owner%20permissions%2Froles%20and%20used%20the%20APP%20IDs%20and%20Keys%20for%20the%20Tenant%20Admin%20credentials.%20I%20have%20tried%20deploying%20without%20any%20default%20users%20set%2C%20but%20despite%20all%20of%20this%20I%20still%20get%20the%20same%20failure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20extremely%20frustrating.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430616%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430616%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20try%20and%20deploy%20using%20my%20subscription%20owner%20UPN%20for%20the%20Tenant%20Admin%20credentials%20instead%20of%20the%20Service%20principle%20credentials%2C%20I%20get%20a%20different%20error%20on%20the%20DSCExtention%20phase%20of%20the%20deployment...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EVM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%5C%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20One%20or%20more%20errors%20occurred.%20The%20SendConfigurationApply%20function%20did%20not%20succeed%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431085%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431085%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%20%3A%20Are%20you%20able%20to%20install%20the%20PowerShell%20locally%20and%20try%20logging%20in%20with%20that%20service%20principal%3F%20Also%2C%20the%20other%20requirement%20for%20the%20service%20principal%20is%20that%20it%20must%20be%20created%20as%20a%20%22Converged%20app%22%20or%20as%20%22multi-tenant%22%20because%20our%20service%20currently%20uses%20a%203rd%20party%20Azure%20AD%20application%20for%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431922%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20created%20the%20service%20principal%20following%20the%20guidelines%20laid%20out%20in%20Erjens%20blog%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20two%20methods%2C%20one%20where%20you%20create%20the%20tenant%20and%20service%20principle%20as%20illustrated%20in%20Erjen's%20directions%2C%20another%20where%20you%20use%20the%20Managed%20Domain%20as%20the%20tenant%20and%20use%20Managed%20Domain%20admin%20credentials%2C%20both%20give%20the%20same%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20how%20I%20am%20creating%20the%20tenant...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20host%3D%22%22%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432101%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20my%20tenant%20like%20this....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsTenant%20-Name%20%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%20-AadTenantId%20%3CAAD%20id%3D%22%22%3E%20-AzureSubscriptionId%20%3CAZ%20sub%3D%22%22%20id%3D%22%22%3E%3C%2FAZ%3E%3C%2FAAD%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432198%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSee%20above%20regarding%20Tenant%20and%20Service%20Principal%20creation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20trying%20to%20log%20in%20to%20Azure%20with%20the%20service%20principal%20I%20seem%20to%20be%20able%20to%20log%20in%20and%20see%20the%20Account%20ID%2C%20a%20blank%20subscriptionName%20(%3F%3F%3F%3F)%2C%20TenantID%20and%20Environment%20listed%20as%20AzureCloud%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432885%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20recreated%20the%20RDS%20Owner%20role%20for%20the%20Service%20Principle%20Tenant%2C%20and%20I%20still%20get%20this%20error...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-434635%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-434635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3BDid%20you%20run%20the%26nbsp%3BAdd-RdsAccount%20command%3F%20To%20run%20using%20Service%20Principal%20credentials%20I%20run%20the%20command%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%20-ServicePrincipal%20-AadTenantId%20%22%5Badd-your-id%5D%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20enter%20the%20Service%20Principal%20AppId%20and%20password.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERunning%20get-rdscontext%20should%20then%20show%20the%20username%20as%20ServicePrincipal.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438498%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286984%22%20target%3D%22_blank%22%3E%40tilikumtim%3C%2FA%3E%26nbsp%3BI%20went%20through%20the%20steps%20you%20provided%2C%20however%20my%20username%20is%20returned%20as%20blank%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20get-rdscontext%3C%2FP%3E%3CP%3EDeploymentUrl%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BTenantGroupName%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20UserName%3CBR%20%2F%3E-------------%20---------------%20--------%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%3C%2FA%3E%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Default%20Tenant%20Group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20role%20assignment%20looks%20like%20this..%3CBR%20%2F%3E%3CBR%20%2F%3ERoleAssignmentId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EScope%20%3A%20%2FDefault%20Tenant%20Group%2FLMRVVDTENANT%2FLMRVpoolname%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3ETenantName%20%3A%20LMRVVDTENANT%3CBR%20%2F%3EHostPoolName%20%3A%20LMRVpoolname%3CBR%20%2F%3EDisplayName%20%3A%3CBR%20%2F%3ESignInName%20%3A%3CBR%20%2F%3EGroupObjectId%20%3A%3CBR%20%2F%3EAADTenantId%20%3A%3CBR%20%2F%3EAppId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3ERoleDefinitionName%20%3A%20RDS%20Owner%3CBR%20%2F%3ERoleDefinitionId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectType%20%3A%20ServicePrincipal%3CBR%20%2F%3EItem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20inspected%20the%20Manifest%20for%20my%20Svc%20Principal%20and%20noticed%20on%20line%202%20that%20the%20appRoles%20value%20was%20empty%2C%20is%20that%20correct%3F%20Should%20it%20read%20%22RDS%20Owner%22%20%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439069%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439069%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20completely%20remaking%20my%20Tenant%20and%20Service%20Principal%20I%20was%20finally%20able%20to%20to%20get%20a%20successful%20deployment%20using%20my%20UPN%20rather%20than%20AppID%20and%20secret.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20now%2C%20I%20see%20two%20Session%20Desktops%20(with%20no%20icon)%20in%20my%20rdweb%20feed%2C%20double%20clicking%20either%20of%20them%20errors%20out%20trying%20to%20launch%20an%20rdp%20file%20at%20an%20invalid%20path%20local%20path%20on%20my%20PC.%20Instead%20of%20having%20my%20proper%20name%20of%20%22xxx%20xxx%20Dodd%22%20(my%20user%20folder)%20at%20the%20beginning%20of%20the%20path%2C%20it%20simply%20has%20%22Dodd%22%20so%20obviously%20it%20cannot%20find%20the%20RDP%20file.%20When%20I%20drill%20down%20to%20where%20the%20RDP%20files%20are%20stored%20(along%20with%20their%20icons)%20and%20try%20and%20manually%20launch%20them%20with%20the%20remote%20desktop%20app%20the%20connection%20also%20fails%20with%20the%20error%3CBR%20%2F%3E%3CBR%20%2F%3E%22The%20RDP%20file%20provided%20is%20invalid.%20Make%20sure%20the%20file%20contains%20the%20full%20address%20and%20is%20formatted%20properly%20or%20contact%20your%20admin%20for%20help%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20when%20in%20Office%20365%2C%20launching%20the%20'Windows%20Virtual%20Desktop'%20app%20resolves%20to%20an%20invalid%20URL%20after%20first%20trying%20to%20hit%20a%20session%20at%20account.activedirectory.windowsazure.com%2Fapplications%2Fsignin%2Fxxxxxx%20and%20ends%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439297%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439297%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20able%20to%20successfully%20connect%20through%20the%20web%20client%20at%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%3C%2FA%3E%3C%2FP%3E%3CP%3Ealthough%20I%20still%20see%20the%20ghost%20'session%20desktop'%20icon%20in%20my%20feed%20from%20previous%20failed%20deployment%20attempts%2C%20so%20I%20need%20to%20find%20a%20way%20to%20kill%20that%20as%20that%20doesn't%20work.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20progress!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442058%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20You%20can%20remove%20that%20extra%20%22session%20desktop%22%20by%20finding%20that%20host%20pool%20and%20app%20group%2C%20and%20running%20%22Remove-RdsAppGroupUser%22.%20You%20can%20then%20also%20remove%20the%20app%20group%20(Remove-RdsAppGroup)%20and%20host%20pool%20(Remove-RdsHostPool).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442066%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20Currently%2C%20when%20running%20service%20principal%2C%20the%20name%20does%20not%20come%20up.%20We%20are%20tracking%20this.%20However%2C%20it%20does%20show%20correctly%20that%20it%20is%20an%20RDS%20Owner%20(if%20you%20look%20at%20RoleDefinitionName.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448189%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448189%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20is%20unable%20to%20join%20ADDS%20domain.%3C%2FP%3E%3CP%3EI%20continue%20to%20get%20this%20error%2C%20not%20sure%20why%20as%20I%20am%20able%20to%20spin%20up%20a%20VM%20on%20the%20VNet%20and%20join%20domain%20manually.%20The%20user%20is%20in%20AAD%20DC%20admin%20group.%20Am%20I%20missing%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'....onmicrosoft.com%20'%5C%22.%22%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448238%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318001%22%20target%3D%22_blank%22%3E%40heng008%3C%2FA%3E%26nbsp%3B%3A%20If%20you%20can%20get%20to%20the%20VM%20(either%20through%20a%20public%20IP%20address%20or%20by%20connecting%20through%20another%20VM%20on%20the%20network)%2C%20you%20should%20be%20able%20to%20check%20out%20the%20errors%20from%20the%20domainJoin%20extension%20log.%20It%20would%20be%20under%20C%3A%5CPackages%5C%20and%20there%20should%20be%20a%20folder%20for%20domainJoin.%20There%20should%20be%20a%20log%20(or%20a%20.status)%20file%20down%20in%20that%20folder%20that%20should%20explicitly%20say%20what%20the%20error%20is.%20(This%20is%20an%20extension%20we%20don't%20manage%2C%20but%20use%2C%20so%20that's%20why%20I'm%20uncertain%20of%20exact%20file%20location.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448356%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448356%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bcould%20you%20explain%20how%20to%20do%20this%2C%20I'm%20not%20much%20of%20a%20powershell%20ninja%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448966%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448966%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20suffered%20from%20this%20not%20matter%20what%20I%20have%20tried%20I%20have%20tried%20every%20step%20even%20with%20someone%20watching%20over%20my%20should%20and%20double%20checkin%20my%20work.%20%26nbsp%3B%20Must%20have%20tried%20and%20failed%2040%20times%2C%20and%20that%20included%20rebuilding%20a%20new%20principle%20tearing%20down%20tenants%20etc...%20%26nbsp%3BI%20was%20doing%20it%20because%20our%20domains%20have%20MFA.%20%26nbsp%3BI%20finally%20said%20I%20am%20just%20going%20to%20try%20that%20link%20that%20says%20to%20Create%20Host%20Pool%20with%20Powershell.%20%26nbsp%3BWas%20done%20in%2015%20minutes....%20%26nbsp%3BThe%20SPN%2FAPP%20needs%20help.%20%26nbsp%3BAlso%2C%20order%20of%20Docs%20seems%20very%20off%20to%20me.%20%26nbsp%3BLink%20to%20PowerShell%20build%20of%20Hostpool%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20a%20host%20pool%20with%20PowerShell%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-468489%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-468489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318430%22%20target%3D%22_blank%22%3E%40ccbrownkc%3C%2FA%3E%26nbsp%3B%3A%20What%20would%20be%20the%20preferred%20order%20to%20help%20complete%20the%20onboarding%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691778%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691778%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691780%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691780%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691916%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3BI%20think%20it%20was%20in%20the%20Microsoft%20docs%20at%20first%20but%20not%20sure.%20But%20at%20least%20you%20can%20try%20it%20for%20testing%20purposes%20en%20take%20away%20the%20permissions%20later.%20The%20deployment%20of%20WVD%20won't%20tell%20you%20if%20you%20have%20not%20enough%20permissions%20on%20your%20subscription.%20But%20I%20think%20the%20%22%3CEM%3EVirtual%20Machine%20Contributor%22%26nbsp%3B%3C%2FEM%3Erole%20should%20work%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-693097%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-693097%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3B%3A%20The%20local%20AD%20user%20that%20will%20domain-join%20the%20VMs%20does%20not%20need%20to%20have%20any%20Azure%20permissions%20(my%20test%20tenant%20certainly%20does%20not).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694045%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthen%20how%20is%20it%20able%20to%20push%20PowerShell%20DSC%20commands%3F%20You%20need%20permissions%20on%20your%20Azure%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694556%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20hostpool%20succeeded%2C%20domain%20joining%20with%20a%20local%20AD%20user%20(not%20AAD%20sync'ed)%20with%20no%20permissions%20but%20joining%20computers%20to%20my%20local%20AD.%20Exactly%20the%20behaviour%20I%20was%20hoping%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20tell%20about%20the%20PS%20DSC%20question%2C%20but%20all%20lights%20are%20green%20and%20I%20take%20that%20as%20a%20good%20sign.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698451%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3A%20The%20permission%20to%20retrieve%20and%20run%20DSC%20is%20authorized%20when%20you%20run%20the%20template.%20Afterwards%2C%20as%20long%20as%20the%20VM%20can%20reach%20out%20and%20download%20the%20DSC%20package%2C%20it%20will%20run%20it%20(not%20exactly%20sure%20if%20it%20runs%20in%20the%20context%20of%20the%20local%20admin%20or%20the%20Azure%20VM%20Agent).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981808%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981808%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20tried%20so%20many%20different%20ways%20and%20nothing%20works.%20I%20noticed%20you%20said%20if%20the%20user%20account%20have%20MFA%20the%20script%20wont%20work.%20Is%20this%20the%20same%20case%20for%20an%20ad%20domain-join%20error%20when%20deploying%20a%20hostpool%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018253%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20am%20having%20the%20same%20issue.%20I%20am%20using%20the%20default%20name%20for%20the%20group.%20I%20am%20using%20admin%20account%20with%20global%20enterprise%20right.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157935iA4B688CDC133E9E3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.jpeg%22%20title%3D%22clipboard_image_0.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018271%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018271%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F445329%22%20target%3D%22_blank%22%3E%40Masoud515%3C%2FA%3E%26nbsp%3B%3A%20Does%20that%20user%20have%20a%20valid%20role%20assignment%3F%20Can%20you%20run%26nbsp%3B%3CSTRONG%3EGet-RdsRoleAssignment%3C%2FSTRONG%3E%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Christopher Anderson
Occasional Contributor

When following the directions below, I always run into an error related to querying the management service.

 

https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace

 

Error message from the Azure portal:

"error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'dscextension'. Error message: \"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.

 

I'm logged in as a user that in the global admin role in Azure AD, and it's also a user in the Windows Virtual Desktop enterprise application.  I've consented to the graph and Azure AD permissions under the enterprise app as well, any ideas?

52 Replies
Highlighted
I have the same problem. Does anyone have some ideas?
I'm getting the exact same thing. Any news or updates on this?
Could this be my problem? The instructions point to infrastructure requirements which says it needs the following things.....
-An Azure Active Directory
-A Windows Server Active Directory in sync with Azure Active Directory.
-An Azure subscription, containing a virtual network that either contains or is connected to the Windows Server Active Directory.

I don't have a local ad synced to azure ad. I only have azure ad.
The instructions seems to refer that you need all of it.

@Christopher Anderson , @Patrick F , @Seth Zwicker : The reason you see the "User is not authorized to query the management service" from the DSC extension is because the user who you provided in the last blade (where you also defined your Windows Virtual Desktop tenant name) does not have permissions in the tenant that you specified. A couple things you can check:

  • Did you create a tenant from these steps: https://docs.microsoft.com/azure/virtual-desktop/tenant-setup-azure-active-directory ?
  • Can you login to Windows Virtual Desktop with the username you provided in the last blade of Azure Marketplace offering, and does it require MFA to login? If that account does require MFA, it will not work when running as part of the script because there's no UI to prompt you for that second factor.
  • After logging in with that user account, can you run "Get-RdsTenant" to make sure that same Windows Virtual Desktop tenant shows appears?
  • Double/triple check that you entered the right values in the Azure Marketplace offering. For the most part, the Windows Virtual Desktop tenant group name should remain as "Default Tenant Group" and make sure to enter the Windows Virtual Desktop tenant name you created earlier, not a new one.

Thanks for testing and your patience here. We're compiling this same information and generating a Troubleshooting guide that hopefully should help you get unblocked yourself!

@Christopher Anderson 

 

I have the same issue too after following the instructions.

 

 New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx -AzureSubscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
New-RdsTenant : User is not authorized to query the management service.
ActivityId: xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId xxxxxxx-9dec-485a-82ee-xxxxxxxxxx
At line:1 char:1
+ New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf...nt.NewRdsTenant:NewRdsTenant) [New-RdsTenant], RdsPowerSh
ellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Tenant.NewRdsTenant
Followed the guide here https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

Turned off MFA for the account.


Granted permissions for client and server here https://rdweb.wvd.microsoft.com/

Granted permissions here for Virtual desktop https://aad.portal.azure.com

@christianmontoya I checked those steps again and I'm still not sure what I'm missing.  I reproduced the error outside of the template in PowerShell by doing the following:

 

1.  Created a new user account in Azure AD and put it in the TenantCreator role for Windows Virtual Desktop.

2.  Opened PowerShell as an admin, and added / logged into the account above using Add-RdsAccount

3.  Attempted to call Remove-RdsTenant as part of clean up to try and see if I could execute the template from scratch2019-03-27 12_28_22-Administrator_ Windows PowerShell.png

I was able to work around this issue.  Here is what I noted:

 

1.  Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account.  I always get the "user is not authorized to query the management service" error no matter what I do.

2.  Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal.  After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal.  Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal. 

@Christopher Anderson : Just to clarify, the "tenant group" name should always be "Default Tenant Group". Only in very few circumstances does this change. But yes, you always need to provide the same "tenant" name everywhere you go.

@Christopher Anderson : Yes, I definitely support the last message, that one of our goals is to have all of this functionality straight from the Azure portal, without having to hop around everywhere.

 

Thank you for all of the feedback, and keep it coming!

Maybe it helps someone getting WVD up and running: https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/ Using the service principal with the correct permissions worked for me.

@Erjen Rijnders, firstly thank you for pulling together that post and the associated PowerShell. It certainly makes the first steps for setting up WVD easier. However, my efforts in this are still failing on that last step in the Azure deployment /dscextension with the error:

 

" PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."

 

I'm wondering exactly what the step is doing? I've remoted on to the VM which gets created and tired trawling through the event logs but there are no more details. I have also tried using just a UPN rather than your suggestion of service principle. It is a real head scratcher!

 

I'm going to go off and create a brand new AAD tenant and AAD DS resource just to rule out anything related to our existing corporate AAD tenant. Wish me luck :)

Hi @andrewstollery, Thanks and welcome. What is the result of this command?
Get-RdsRoleAssignment

You should set something like this.

rdsowner.jpg

 

Especially, the appid must be the same as the app you created earlier:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

That AppID must be the same as the app you visited in the Azure Portal, creating te new key and used during the deployment of the Azure Marketplace WVD template.

And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.

@Erjen Rijnders 

 

Hey i am also have the same issue i followed both the microsoft guide and Erjen guild and failing on the DSCextension. I am thinking the problem is with AADDS. Has anyone made it work with AADDS?

 


thanks

@Stavros Mitchell, I have not tested with AAD DS, but from what I know, in the preview version you need a working AD Connect, meaning that you can only use an onprem AD. I hope they remove it from the production version.

Hi @Erjen Rijnders, thank you for the prompt reply. Given the number of times I've run this now, I actually get 5 RoleAssigmentIds returned...oops. How do I tidy those up? Using Remove-RdsRoleAssigment I guess? I'll have a crack at that later...

 

The last one in the list though is the correct one:

Screenshot 2019-04-10 at 14.18.02.png

 

I guess the only difference for me is that I am using AAD DS too, which you stated below is not supported. I'm not sure why not? I can get the VM to join the AAD DS domain. It is the DSCextension step which fails.

 

Anyhow, I'll do some tidying up and also keep progressing with my greenfield AAD, AAD DS and WVD deployment.

@andrewstollery, you did create a new key within that app from the Azure Portal right? And you used that key during deployment on step 4?

And the user you are using deploying the VM's, does have owner rights on the Azure Subscription?

I agree it should work, however with AAD DS you don't have access to the RPC-service. So that could be the reason it doesn't work. But still curious if you checked the points I just mentioned.

@andrewstollery 

 

I am pretty sure the issue is AADDS. I think i will set up a VM for active directory and link it to AADDS and see if that corrrects my issue

 

Hi Erjen,

Yes, my friend, I created my service principles key and used that. I listened to everything you wrote, you know what you are doing so I didn't want to assume anything :). I also doubled checked the VM deployment user is Owner on the subscription and it is.

I really appreciate your help with this, thank you for replying.

Alright, than it must be the AAD DS limitation indeed..

Hi @Stavros Mitchell,

 

I'm inclined to agree now. I've finished a completely new setup:

  • AAD Tenant
  • AAD DS Resource
  • Followed Erjen's excellent deployment steps for WVD

Deployment fails at the /dcsextension step every time with the error "PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with the error message: User is not authorized to query the management service"

 

I'm still not sure I understand why WVD requires a full-blown ADDS domain controller to work? Perhaps a Microsoft representative can shed some light on this? Anyway, just like you, I am not prepared to give up! :)

 

Next step is to deploy an IaaS ADDS VM and use AAD Connect to sync up to AAD and then run the WVD setup again...watch this space! 

@andrewstollery 

 

According to Microsoft Document

A Windows Server Active Directory in sync with Azure Active Directory. This can be enabled through:

  • Azure AD Connect
  • Azure AD Domain Services

I am trying to see how that works I didn't know you can create a new Windows Server Active Directory and sync with AADDS. I have always used AD Connect. Unless i am misunderstanding the requirements

Yeah, I was after the why? :)
Maybe check if there is a conditional access policy applying to the admin account you specified in the deployment steps.

@Stavros Mitchell @andrewstollery : Yes, you would always use Azure AD Connect to synchronize your Windows Server AD up to Azure AD. However, if you are a cloud organization and have no Windows Server AD, then you can use Azure AD Domain Services to create a managed Windows Server AD on the virtual network that would have the same users as your Azure AD.

 

The intent was that these are each mechanisms that will allow the users to be recognized both "in the cloud" and "on-prem". We can change the wording to make that more clear. Open to suggestions!

@andrewstollery 

 

ok so i got it to work with only AADDS i followed this guide. I think my issue was the users i was putting to allowe. I left it blank this time and it worked

 

http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/

I am also having many of the same issues covered in this thread trying to deploy Windows Virtual Desktop Preview.

 

I have followed all of the directions linked in this thread, including Erjen's very useful blog post and I am still getting the dreaded "User is not authorized to query the management service" failure during the DSCExtension part of the deployment.

 

My deployment user is a subscription owner, I have my regular AD synced with AAD complete with password hash sync, I created Service Principles with RDS Owner permissions/roles and used the APP IDs and Keys for the Tenant Admin credentials. I have tried deploying without any default users set, but despite all of this I still get the same failure.

 

This is extremely frustrating.

When I try and deploy using my subscription owner UPN for the Tenant Admin credentials instead of the Service principle credentials, I get a different error on the DSCExtention phase of the deployment...

 

VM has reported a failure when processing extension 'dscextension'. Error message: \\\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: One or more errors occurred. The SendConfigurationApply function did not succeed

@GriffinDodd : Are you able to install the PowerShell locally and try logging in with that service principal? Also, the other requirement for the service principal is that it must be created as a "Converged app" or as "multi-tenant" because our service currently uses a 3rd party Azure AD application for authentication.

@christianmontoya I created the service principal following the guidelines laid out in Erjens blog post.

 

I have tried two methods, one where you create the tenant and service principle as illustrated in Erjen's directions, another where you use the Managed Domain as the tenant and use Managed Domain admin credentials, both give the same errors.

 

Here is how I am creating the tenant...

 

New-RdsTenant -Name <my tenant name> -AadTenantId <aad id> -AzureSubscriptionId <AZ sub id>

$myTenantGroupName = "Default Tenant Group"
$myTenantName = "<my tenant name>" #As you used in the previous step
$hostpoolname = "<my host pool name>"

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

# Don't change the URL below.
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Set-RdsContext -TenantGroupName $myTenantGroupName
New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

 

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

I created my tenant like this....

 

New-RdsTenant -Name <my tenant name> -AadTenantId <aad id> -AzureSubscriptionId <az sub id>


$myTenantGroupName = "Default Tenant Group"
$myTenantName = "<my tenant name>" #As you used in the previous step
$hostpoolname = "<my pool name>"

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

# Don't change the URL below.
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Set-RdsContext -TenantGroupName $myTenantGroupName
New-RdsHostPool -TenantName $myTenantName -name $hostpoolname


New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

 

@christianmontoya See above regarding Tenant and Service Principal creation.

 

On trying to log in to Azure with the service principal I seem to be able to log in and see the Account ID, a blank subscriptionName (????), TenantID and Environment listed as AzureCloud

@christianmontoya I recreated the RDS Owner role for the Service Principle Tenant, and I still get this error...

 

DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service

@GriffinDodd Did you run the Add-RdsAccount command? To run using Service Principal credentials I run the command: 

 

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -ServicePrincipal -AadTenantId "[add-your-id]"

 

Then enter the Service Principal AppId and password.


Running get-rdscontext should then show the username as ServicePrincipal.

@tilikumtim I went through the steps you provided, however my username is returned as blank, 

 

PS C:\WINDOWS\system32> get-rdscontext

DeploymentUrl                                         TenantGroupName                            UserName
------------- --------------- --------
https://rdbroker.wvd.microsoft.com        Default Tenant Group

 

My role assignment looks like this..

RoleAssignmentId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
Scope : /Default Tenant Group/LMRVVDTENANT/LMRVpoolname
TenantGroupName : Default Tenant Group
TenantName : LMRVVDTENANT
HostPoolName : LMRVpoolname
DisplayName :
SignInName :
GroupObjectId :
AADTenantId :
AppId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
RoleDefinitionName : RDS Owner
RoleDefinitionId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
ObjectId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
ObjectType : ServicePrincipal
Item :

 

I inspected the Manifest for my Svc Principal and noticed on line 2 that the appRoles value was empty, is that correct? Should it read "RDS Owner" ???

After completely remaking my Tenant and Service Principal I was finally able to to get a successful deployment using my UPN rather than AppID and secret.

 

However now, I see two Session Desktops (with no icon) in my rdweb feed, double clicking either of them errors out trying to launch an rdp file at an invalid path local path on my PC. Instead of having my proper name of "xxx xxx Dodd" (my user folder) at the beginning of the path, it simply has "Dodd" so obviously it cannot find the RDP file. When I drill down to where the RDP files are stored (along with their icons) and try and manually launch them with the remote desktop app the connection also fails with the error

"The RDP file provided is invalid. Make sure the file contains the full address and is formatted properly or contact your admin for help"

 

Also when in Office 365, launching the 'Windows Virtual Desktop' app resolves to an invalid URL after first trying to hit a session at account.activedirectory.windowsazure.com/applications/signin/xxxxxx and ends at https://mrs-prod.ame.gbl/mrs-RDInfra-prod

I have been able to successfully connect through the web client at 
https://rdweb.wvd.microsoft.com/webclient/index.html

although I still see the ghost 'session desktop' icon in my feed from previous failed deployment attempts, so I need to find a way to kill that as that doesn't work. 

 

But progress!!!

@GriffinDodd : You can remove that extra "session desktop" by finding that host pool and app group, and running "Remove-RdsAppGroupUser". You can then also remove the app group (Remove-RdsAppGroup) and host pool (Remove-RdsHostPool).

@GriffinDodd : Currently, when running service principal, the name does not come up. We are tracking this. However, it does show correctly that it is an RDS Owner (if you look at RoleDefinitionName.

Hi All, 

My deployment is unable to join ADDS domain.

I continue to get this error, not sure why as I am able to spin up a VM on the VNet and join domain manually. The user is in AAD DC admin group. Am I missing something here? 

{ "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain '....onmicrosoft.com '\"." }

@heng008 : If you can get to the VM (either through a public IP address or by connecting through another VM on the network), you should be able to check out the errors from the domainJoin extension log. It would be under C:\Packages\ and there should be a folder for domainJoin. There should be a log (or a .status) file down in that folder that should explicitly say what the error is. (This is an extension we don't manage, but use, so that's why I'm uncertain of exact file location.)

@christianmontoya could you explain how to do this, I'm not much of a powershell ninja

I have suffered from this not matter what I have tried I have tried every step even with someone watching over my should and double checkin my work.   Must have tried and failed 40 times, and that included rebuilding a new principle tearing down tenants etc...  I was doing it because our domains have MFA.  I finally said I am just going to try that link that says to Create Host Pool with Powershell.  Was done in 15 minutes....  The SPN/APP needs help.  Also, order of Docs seems very off to me.  Link to PowerShell build of Hostpool Create a host pool with PowerShell

@Christopher Anderson 

@ccbrownkc : What would be the preferred order to help complete the onboarding?

 


@Erjen Rijnders wrote:

And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.


@Erjen Rijnders 

 

Do you have any pointers to this? I have not seen this mentioned anywhere else, and I am not satisfied with having a local AD user have owner rights on a subscription.

 

For other reasons I am going to remove my WVD setup and start over, and I want to be sure to do every little bit right this time :)

 

Thanks!

@Oletho I think it was in the Microsoft docs at first but not sure. But at least you can try it for testing purposes en take away the permissions later. The deployment of WVD won't tell you if you have not enough permissions on your subscription. But I think the "Virtual Machine Contributor" role should work too.

@Oletho : The local AD user that will domain-join the VMs does not need to have any Azure permissions (my test tenant certainly does not). 

@christianmontoya then how is it able to push PowerShell DSC commands? You need permissions on your Azure tenant.

@Erjen Rijnders @christianmontoya

 

My hostpool succeeded, domain joining with a local AD user (not AAD sync'ed) with no permissions but joining computers to my local AD. Exactly the behaviour I was hoping for.

 

I cannot tell about the PS DSC question, but all lights are green and I take that as a good sign.

@Erjen Rijnders : The permission to retrieve and run DSC is authorized when you run the template. Afterwards, as long as the VM can reach out and download the DSC package, it will run it (not exactly sure if it runs in the context of the local admin or the Azure VM Agent).

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies