Home

Error: User is not authorized to query the management service

%3CLINGO-SUB%20id%3D%22lingo-sub-388955%22%20slang%3D%22en-US%22%3EError%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388955%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20following%20the%20directions%20below%2C%20I%20always%20run%20into%20an%20error%20related%20to%20querying%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EError%20message%20from%20the%20Azure%20portal%3A%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20logged%20in%20as%20a%20user%20that%20in%20the%20global%20admin%20role%20in%20Azure%20AD%2C%20and%20it's%20also%20a%20user%20in%20the%20Windows%20Virtual%20Desktop%20enterprise%20application.%26nbsp%3B%20I've%20consented%20to%20the%20graph%20and%20Azure%20AD%20permissions%20under%20the%20enterprise%20app%20as%20well%2C%20any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394531%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394531%22%20slang%3D%22en-US%22%3EMaybe%20it%20helps%20someone%20getting%20WVD%20up%20and%20running%3A%20%3CA%20href%3D%22https%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%3C%2FA%3E%20Using%20the%20service%20principal%20with%20the%20correct%20permissions%20worked%20for%20me.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391007%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391007%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20I%20definitely%20support%20the%20last%20message%2C%20that%20one%20of%20our%20goals%20is%20to%20have%20all%20of%20this%20functionality%20straight%20from%20the%20Azure%20portal%2C%20without%20having%20to%20hop%20around%20everywhere.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20all%20of%20the%20feedback%2C%20and%20keep%20it%20coming!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390256%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Just%20to%20clarify%2C%20the%20%22tenant%20group%22%20name%20should%20always%20be%20%22Default%20Tenant%20Group%22.%20Only%20in%20very%20few%20circumstances%20does%20this%20change.%20But%20yes%2C%20you%20always%20need%20to%20provide%20the%20same%20%22tenant%22%20name%20everywhere%20you%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390175%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390175%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20work%20around%20this%20issue.%26nbsp%3B%20Here%20is%20what%20I%20noted%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Regardless%20of%20account%2C%20you%20don't%20seem%20to%20be%20able%20to%20delete%20existing%20tenant%20groups%20once%20their%20created%20using%20the%20Remove-RdsTenant%20account.%26nbsp%3B%20I%20always%20get%20the%20%22user%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20error%20no%20matter%20what%20I%20do.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Also%2C%20one%20of%20the%20steps%20I%20may%20have%20missed%20the%20first%20time%20is%20that%20the%20tenant%20group%20name%20you%20create%20via%20PowerShell%20has%20to%20match%20to%20what%20you%20create%20via%20the%20Azure%20portal.%26nbsp%3B%20After%20creating%20a%20new%20tenant%20group%20in%20Powershell%20separate%20from%20the%20default%20one%2C%20it%20worked%20when%20I%20referenced%20the%20new%20tenant%20group%20name%20in%20the%20Azure%20portal.%26nbsp%3B%20Hopefully%20at%20some%20point%2C%20Microsoft%20will%20have%20an%20end-to-end%20solution%20for%20creating%20the%20tenant%2C%20tenant%20group%20name%2C%20and%20host%20pool%20all%20within%20the%20portal.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389534%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389534%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20checked%20those%20steps%20again%20and%20I'm%20still%20not%20sure%20what%20I'm%20missing.%26nbsp%3B%20I%20reproduced%20the%20error%20outside%20of%20the%20template%20in%20PowerShell%20by%20doing%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Created%20a%20new%20user%20account%20in%20Azure%20AD%20and%20put%20it%20in%20the%20TenantCreator%20role%20for%20Windows%20Virtual%20Desktop.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Opened%20PowerShell%20as%20an%20admin%2C%20and%20added%20%2F%20logged%20into%20the%20account%20above%20using%20Add-RdsAccount%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20Attempted%20to%20call%20Remove-RdsTenant%20as%20part%20of%20clean%20up%20to%20try%20and%20see%20if%20I%20could%20execute%20the%20template%20from%20scratch%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20857px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100276i61575B333C2ECC9E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20title%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389532%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue%20too%20after%20following%20the%20instructions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BNew-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20-AzureSubscriptionId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%3CBR%20%2F%3ENew-RdsTenant%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3CBR%20%2F%3EActivityId%3A%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx%3CBR%20%2F%3EPowershell%20commands%20to%20diagnose%20the%20failure%3A%3CBR%20%2F%3EGet-RdsDiagnosticActivities%20-ActivityId%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxx%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20New-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20FromStdErr%3A%20(Microsoft.RDInf...nt.NewRdsTenant%3ANewRdsTenant)%20%5BNew-RdsTenant%5D%2C%20RdsPowerSh%3CBR%20%2F%3EellException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20UnauthorizedAccess%2CMicrosoft.RDInfra.RDPowershell.Tenant.NewRdsTenant%3CBR%20%2F%3EFollowed%20the%20guide%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%3C%2FP%3E%3CP%3ETurned%20off%20MFA%20for%20the%20account.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGranted%20permissions%20for%20client%20and%20server%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EGranted%20permissions%20here%20for%20Virtual%20desktop%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faad.portal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faad.portal.azure.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389502%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389502%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F28489%22%20target%3D%22_blank%22%3E%40Patrick%20F%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172194%22%20target%3D%22_blank%22%3E%40Seth%20Zwicker%3C%2FA%3E%26nbsp%3B%3A%20The%20reason%20you%20see%20the%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20from%20the%20DSC%20extension%20is%20because%20the%20user%20who%20you%20provided%20in%20the%20last%20blade%20(where%20you%20also%20defined%20your%20Windows%20Virtual%20Desktop%20tenant%20name)%20does%20not%20have%20permissions%20in%20the%20tenant%20that%20you%20specified.%20A%20couple%20things%20you%20can%20check%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDid%20you%20create%20a%20tenant%20from%20these%20steps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%26nbsp%3B%3F%3C%2FLI%3E%0A%3CLI%3ECan%20you%20login%20to%20Windows%20Virtual%20Desktop%20with%20the%20username%20you%20provided%20in%20the%20last%20blade%20of%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E%2C%20and%20does%20it%20require%20MFA%20to%20login%3F%20If%20that%20account%20does%20require%20MFA%2C%20it%20will%20not%20work%20when%20running%20as%20part%20of%20the%20script%20because%20there's%20no%20UI%20to%20prompt%20you%20for%20that%20second%20factor.%3C%2FLI%3E%0A%3CLI%3EAfter%20logging%20in%20with%20that%20user%20account%2C%20can%20you%20run%20%22Get-RdsTenant%22%20to%20make%20sure%20that%20same%20Windows%20Virtual%20Desktop%20tenant%20shows%20appears%3F%3C%2FLI%3E%0A%3CLI%3EDouble%2Ftriple%20check%20that%20you%20entered%20the%20right%20values%20in%20the%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E.%20For%20the%20most%20part%2C%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20group%20name%3C%2FSTRONG%3E%20should%20remain%20as%20%22Default%20Tenant%20Group%22%20and%20make%20sure%20to%20enter%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20name%3C%2FSTRONG%3E%20you%20created%20earlier%2C%20not%20a%20new%20one.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThanks%20for%20testing%20and%20your%20patience%20here.%20We're%20compiling%20this%20same%20information%20and%20generating%20a%20Troubleshooting%20guide%20that%20hopefully%20should%20help%20you%20get%20unblocked%20yourself!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389290%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389290%22%20slang%3D%22en-US%22%3ECould%20this%20be%20my%20problem%3F%20The%20instructions%20point%20to%20infrastructure%20requirements%20which%20says%20it%20needs%20the%20following%20things.....%3CBR%20%2F%3E-An%20Azure%20Active%20Directory%3CBR%20%2F%3E-A%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%3CBR%20%2F%3E-An%20Azure%20subscription%2C%20containing%20a%20virtual%20network%20that%20either%20contains%20or%20is%20connected%20to%20the%20Windows%20Server%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20have%20a%20local%20ad%20synced%20to%20azure%20ad.%20I%20only%20have%20azure%20ad.%3CBR%20%2F%3EThe%20instructions%20seems%20to%20refer%20that%20you%20need%20all%20of%20it.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389180%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389180%22%20slang%3D%22en-US%22%3EI'm%20getting%20the%20exact%20same%20thing.%20Any%20news%20or%20updates%20on%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389127%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389127%22%20slang%3D%22en-US%22%3EI%20have%20the%20same%20problem.%20Does%20anyone%20have%20some%20ideas%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bfirstly%20thank%20you%20for%20pulling%20together%20that%20post%20and%20the%20associated%20PowerShell.%20It%20certainly%20makes%20the%20first%20steps%20for%20setting%20up%20WVD%20easier.%20However%2C%20my%20efforts%20in%20this%20are%20still%20failing%20on%20that%20last%20step%20in%20the%20Azure%20deployment%20%2Fdscextension%20with%20the%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FSPAN%3Efailed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20exactly%20what%20the%20step%20is%20doing%3F%20I've%20remoted%20on%20to%20the%20VM%20which%20gets%20created%20and%20tired%20trawling%20through%20the%20event%20logs%20but%20there%20are%20no%20more%20details.%20I%20have%20also%20tried%20using%20just%20a%20UPN%20rather%20than%20your%20suggestion%20of%20service%20principle.%20It%20is%20a%20real%20head%20scratcher!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20going%20to%20go%20off%20and%20create%20a%20brand%20new%20AAD%20tenant%20and%20AAD%20DS%20resource%20just%20to%20rule%20out%20anything%20related%20to%20our%20existing%20corporate%20AAD%20tenant.%20Wish%20me%20luck%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426876%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426876%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20Thanks%20and%20welcome.%20What%20is%20the%20result%20of%20this%20command%3F%3CBR%20%2F%3EGet-RdsRoleAssignment%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20set%20something%20like%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107547iF5D2043B8BCA6EFF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22rdsowner.jpg%22%20title%3D%22rdsowner.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEspecially%2C%20the%20appid%20must%20be%20the%20same%20as%20the%20app%20you%20created%20earlier%3A%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20AppID%20must%20be%20the%20same%20as%20the%20app%20you%20visited%20in%20the%20Azure%20Portal%2C%20creating%20te%20new%20key%20and%20used%20during%20the%20deployment%20of%20the%20Azure%20Marketplace%20WVD%20template.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427067%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20i%20am%20also%20have%20the%20same%20issue%20i%20followed%20both%20the%20microsoft%20guide%20and%20Erjen%20guild%20and%20failing%20on%20the%26nbsp%3B%3CSPAN%3EDSCextension.%20I%20am%20thinking%20the%20problem%20is%20with%26nbsp%3BAADDS.%20Has%20anyone%20made%20it%20work%20with%20AADDS%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CP%20class%3D%221554901958191%22%3Ethanks%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427093%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%20I%20have%20not%20tested%20with%20AAD%20DS%2C%20but%20from%20what%20I%20know%2C%20in%20the%20preview%20version%20you%20need%20a%20working%20AD%20Connect%2C%20meaning%20that%20you%20can%20only%20use%20an%20onprem%20AD.%20I%20hope%20they%20remove%20it%20from%20the%20production%20version.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427249%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20for%20the%20prompt%20reply.%20Given%20the%20number%20of%20times%20I've%20run%20this%20now%2C%20I%20actually%20get%205%20RoleAssigmentIds%20returned...oops.%20How%20do%20I%20tidy%20those%20up%3F%20Using%20Remove-RdsRoleAssigment%20I%20guess%3F%20I'll%20have%20a%20crack%20at%20that%20later...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20one%20in%20the%20list%20though%20is%20the%20correct%20one%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107550iE91E6533EF929A01%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20title%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20the%20only%20difference%20for%20me%20is%20that%20I%20am%20using%20AAD%20DS%20too%2C%20which%20you%20stated%20below%20is%20not%20supported.%20I'm%20not%20sure%20why%20not%3F%20I%20can%20get%20the%20VM%20to%20join%20the%20AAD%20DS%20domain.%20It%20is%20the%20DSCextension%20step%20which%20fails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyhow%2C%20I'll%20do%20some%20tidying%20up%20and%20also%20keep%20progressing%20with%20my%20greenfield%20AAD%2C%20AAD%20DS%20and%20WVD%20deployment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427506%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20you%20did%20create%20a%20new%20key%20within%20that%20app%20from%20the%20Azure%20Portal%20right%3F%20And%20you%20used%20that%20key%20during%20deployment%20on%20step%204%3F%3C%2FP%3E%3CP%3EAnd%20the%20user%20you%20are%20using%20deploying%20the%20VM's%2C%20does%20have%20owner%20rights%20on%20the%20Azure%20Subscription%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20agree%20it%20should%20work%2C%20however%20with%20AAD%20DS%20you%20don't%20have%20access%20to%20the%20RPC-service.%20So%20that%20could%20be%20the%20reason%20it%20doesn't%20work.%20But%20still%20curious%20if%20you%20checked%20the%20points%20I%20just%20mentioned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427717%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20pretty%20sure%20the%20issue%20is%20AADDS.%20I%20think%20i%20will%20set%20up%20a%20VM%20for%20active%20directory%20and%20link%20it%20to%20AADDS%20and%20see%20if%20that%20corrrects%20my%20issue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427812%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427812%22%20slang%3D%22en-US%22%3EHi%20Erjen%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20my%20friend%2C%20I%20created%20my%20service%20principles%20key%20and%20used%20that.%20I%20listened%20to%20everything%20you%20wrote%2C%20you%20know%20what%20you%20are%20doing%20so%20I%20didn't%20want%20to%20assume%20anything%20%3A).%20I%20also%20doubled%20checked%20the%20VM%20deployment%20user%20is%20Owner%20on%20the%20subscription%20and%20it%20is.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20really%20appreciate%20your%20help%20with%20this%2C%20thank%20you%20for%20replying.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428060%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428060%22%20slang%3D%22en-US%22%3EAlright%2C%20than%20it%20must%20be%20the%20AAD%20DS%20limitation%20indeed..%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428796%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428796%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20inclined%20to%20agree%20now.%20I've%20finished%20a%20completely%20new%20setup%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAAD%20Tenant%3C%2FLI%3E%3CLI%3EAAD%20DS%20Resource%3C%2FLI%3E%3CLI%3EFollowed%20Erjen's%20excellent%20deployment%20steps%20for%20WVD%3C%2FLI%3E%3C%2FUL%3E%3CP%3EDeployment%20fails%20at%20the%20%2Fdcsextension%26nbsp%3Bstep%20every%20time%20with%20the%20error%20%22%3CSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20the%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20still%20not%20sure%20I%20understand%20why%20WVD%20requires%20a%20full-blown%20ADDS%20domain%20controller%20to%20work%3F%20Perhaps%20a%20Microsoft%20representative%20can%20shed%20some%20light%20on%20this%3F%20Anyway%2C%20just%20like%20you%2C%20I%20am%20not%20prepared%20to%20give%20up!%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENext%20step%20is%20to%20deploy%20an%20IaaS%20ADDS%20VM%20and%20use%20AAD%20Connect%20to%20sync%20up%20to%20AAD%20and%20then%20run%20the%20WVD%20setup%20again...watch%20this%20space!%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428869%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428869%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20Microsoft%20Document%3C%2FP%3E%3CP%3E%3CSPAN%3EA%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%20This%20can%20be%20enabled%20through%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3EAzure%20AD%20Domain%20Services%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20am%20trying%20to%20see%20how%20that%20works%20I%20didn't%20know%20you%20can%20create%20a%20new%20Windows%20Server%20Active%20Directory%20and%20sync%20with%20AADDS.%20I%20have%20always%20used%20AD%20Connect.%20Unless%20i%20am%20misunderstanding%20the%20requirements%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429027%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429027%22%20slang%3D%22en-US%22%3EYeah%2C%20I%20was%20after%20the%20why%3F%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429482%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429482%22%20slang%3D%22en-US%22%3EMaybe%20check%20if%20there%20is%20a%20conditional%20access%20policy%20applying%20to%20the%20admin%20account%20you%20specified%20in%20the%20deployment%20steps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429865%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%20%3A%20Yes%2C%20you%20would%20always%20use%20Azure%20AD%20Connect%20to%20synchronize%20your%20Windows%20Server%20AD%20up%20to%20Azure%20AD.%20However%2C%20if%20you%20are%20a%20cloud%20organization%20and%20have%20no%20Windows%20Server%20AD%2C%20then%20you%20can%20use%20Azure%20AD%20Domain%20Services%20to%20create%20a%20managed%20Windows%20Server%20AD%20on%20the%20virtual%20network%20that%20would%20have%20the%20same%20users%20as%20your%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20intent%20was%20that%20these%20are%20each%20mechanisms%20that%20will%20allow%20the%20users%20to%20be%20recognized%20both%20%22in%20the%20cloud%22%20and%20%22on-prem%22.%20We%20can%20change%20the%20wording%20to%20make%20that%20more%20clear.%20Open%20to%20suggestions!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429962%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429962%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eok%20so%20i%20got%20it%20to%20work%20with%20only%20AADDS%20i%20followed%20this%20guide.%20I%20think%20my%20issue%20was%20the%20users%20i%20was%20putting%20to%20allowe.%20I%20left%20it%20blank%20this%20time%20and%20it%20worked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430513%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430513%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20having%20many%20of%20the%20same%20issues%20covered%20in%20this%20thread%20trying%20to%20deploy%20Windows%20Virtual%20Desktop%20Preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20followed%20all%20of%20the%20directions%20linked%20in%20this%20thread%2C%20including%20Erjen's%20very%20useful%20blog%20post%20and%20I%20am%20still%20getting%20the%20dreaded%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20failure%20during%20the%20DSCExtension%20part%20of%20the%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20user%20is%20a%20subscription%20owner%2C%20I%20have%20my%20regular%20AD%20synced%20with%20AAD%20complete%20with%20password%20hash%20sync%2C%20I%20created%20Service%20Principles%20with%20RDS%20Owner%20permissions%2Froles%20and%20used%20the%20APP%20IDs%20and%20Keys%20for%20the%20Tenant%20Admin%20credentials.%20I%20have%20tried%20deploying%20without%20any%20default%20users%20set%2C%20but%20despite%20all%20of%20this%20I%20still%20get%20the%20same%20failure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20extremely%20frustrating.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430616%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430616%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20try%20and%20deploy%20using%20my%20subscription%20owner%20UPN%20for%20the%20Tenant%20Admin%20credentials%20instead%20of%20the%20Service%20principle%20credentials%2C%20I%20get%20a%20different%20error%20on%20the%20DSCExtention%20phase%20of%20the%20deployment...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EVM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%5C%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20One%20or%20more%20errors%20occurred.%20The%20SendConfigurationApply%20function%20did%20not%20succeed%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431085%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431085%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%20%3A%20Are%20you%20able%20to%20install%20the%20PowerShell%20locally%20and%20try%20logging%20in%20with%20that%20service%20principal%3F%20Also%2C%20the%20other%20requirement%20for%20the%20service%20principal%20is%20that%20it%20must%20be%20created%20as%20a%20%22Converged%20app%22%20or%20as%20%22multi-tenant%22%20because%20our%20service%20currently%20uses%20a%203rd%20party%20Azure%20AD%20application%20for%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431922%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20created%20the%20service%20principal%20following%20the%20guidelines%20laid%20out%20in%20Erjens%20blog%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20two%20methods%2C%20one%20where%20you%20create%20the%20tenant%20and%20service%20principle%20as%20illustrated%20in%20Erjen's%20directions%2C%20another%20where%20you%20use%20the%20Managed%20Domain%20as%20the%20tenant%20and%20use%20Managed%20Domain%20admin%20credentials%2C%20both%20give%20the%20same%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20how%20I%20am%20creating%20the%20tenant...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20host%3D%22%22%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432101%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20my%20tenant%20like%20this....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsTenant%20-Name%20%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%20-AadTenantId%20%3CAAD%20id%3D%22%22%3E%20-AzureSubscriptionId%20%3CAZ%20sub%3D%22%22%20id%3D%22%22%3E%3C%2FAZ%3E%3C%2FAAD%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432198%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSee%20above%20regarding%20Tenant%20and%20Service%20Principal%20creation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20trying%20to%20log%20in%20to%20Azure%20with%20the%20service%20principal%20I%20seem%20to%20be%20able%20to%20log%20in%20and%20see%20the%20Account%20ID%2C%20a%20blank%20subscriptionName%20(%3F%3F%3F%3F)%2C%20TenantID%20and%20Environment%20listed%20as%20AzureCloud%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432885%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20recreated%20the%20RDS%20Owner%20role%20for%20the%20Service%20Principle%20Tenant%2C%20and%20I%20still%20get%20this%20error...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-434635%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-434635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3BDid%20you%20run%20the%26nbsp%3BAdd-RdsAccount%20command%3F%20To%20run%20using%20Service%20Principal%20credentials%20I%20run%20the%20command%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%20-ServicePrincipal%20-AadTenantId%20%22%5Badd-your-id%5D%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20enter%20the%20Service%20Principal%20AppId%20and%20password.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERunning%20get-rdscontext%20should%20then%20show%20the%20username%20as%20ServicePrincipal.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438498%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286984%22%20target%3D%22_blank%22%3E%40tilikumtim%3C%2FA%3E%26nbsp%3BI%20went%20through%20the%20steps%20you%20provided%2C%20however%20my%20username%20is%20returned%20as%20blank%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20get-rdscontext%3C%2FP%3E%3CP%3EDeploymentUrl%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BTenantGroupName%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20UserName%3CBR%20%2F%3E-------------%20---------------%20--------%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%3C%2FA%3E%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Default%20Tenant%20Group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20role%20assignment%20looks%20like%20this..%3CBR%20%2F%3E%3CBR%20%2F%3ERoleAssignmentId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EScope%20%3A%20%2FDefault%20Tenant%20Group%2FLMRVVDTENANT%2FLMRVpoolname%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3ETenantName%20%3A%20LMRVVDTENANT%3CBR%20%2F%3EHostPoolName%20%3A%20LMRVpoolname%3CBR%20%2F%3EDisplayName%20%3A%3CBR%20%2F%3ESignInName%20%3A%3CBR%20%2F%3EGroupObjectId%20%3A%3CBR%20%2F%3EAADTenantId%20%3A%3CBR%20%2F%3EAppId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3ERoleDefinitionName%20%3A%20RDS%20Owner%3CBR%20%2F%3ERoleDefinitionId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectType%20%3A%20ServicePrincipal%3CBR%20%2F%3EItem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20inspected%20the%20Manifest%20for%20my%20Svc%20Principal%20and%20noticed%20on%20line%202%20that%20the%20appRoles%20value%20was%20empty%2C%20is%20that%20correct%3F%20Should%20it%20read%20%22RDS%20Owner%22%20%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439069%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439069%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20completely%20remaking%20my%20Tenant%20and%20Service%20Principal%20I%20was%20finally%20able%20to%20to%20get%20a%20successful%20deployment%20using%20my%20UPN%20rather%20than%20AppID%20and%20secret.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20now%2C%20I%20see%20two%20Session%20Desktops%20(with%20no%20icon)%20in%20my%20rdweb%20feed%2C%20double%20clicking%20either%20of%20them%20errors%20out%20trying%20to%20launch%20an%20rdp%20file%20at%20an%20invalid%20path%20local%20path%20on%20my%20PC.%20Instead%20of%20having%20my%20proper%20name%20of%20%22xxx%20xxx%20Dodd%22%20(my%20user%20folder)%20at%20the%20beginning%20of%20the%20path%2C%20it%20simply%20has%20%22Dodd%22%20so%20obviously%20it%20cannot%20find%20the%20RDP%20file.%20When%20I%20drill%20down%20to%20where%20the%20RDP%20files%20are%20stored%20(along%20with%20their%20icons)%20and%20try%20and%20manually%20launch%20them%20with%20the%20remote%20desktop%20app%20the%20connection%20also%20fails%20with%20the%20error%3CBR%20%2F%3E%3CBR%20%2F%3E%22The%20RDP%20file%20provided%20is%20invalid.%20Make%20sure%20the%20file%20contains%20the%20full%20address%20and%20is%20formatted%20properly%20or%20contact%20your%20admin%20for%20help%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20when%20in%20Office%20365%2C%20launching%20the%20'Windows%20Virtual%20Desktop'%20app%20resolves%20to%20an%20invalid%20URL%20after%20first%20trying%20to%20hit%20a%20session%20at%20account.activedirectory.windowsazure.com%2Fapplications%2Fsignin%2Fxxxxxx%20and%20ends%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439297%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439297%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20able%20to%20successfully%20connect%20through%20the%20web%20client%20at%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%3C%2FA%3E%3C%2FP%3E%3CP%3Ealthough%20I%20still%20see%20the%20ghost%20'session%20desktop'%20icon%20in%20my%20feed%20from%20previous%20failed%20deployment%20attempts%2C%20so%20I%20need%20to%20find%20a%20way%20to%20kill%20that%20as%20that%20doesn't%20work.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20progress!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442058%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20You%20can%20remove%20that%20extra%20%22session%20desktop%22%20by%20finding%20that%20host%20pool%20and%20app%20group%2C%20and%20running%20%22Remove-RdsAppGroupUser%22.%20You%20can%20then%20also%20remove%20the%20app%20group%20(Remove-RdsAppGroup)%20and%20host%20pool%20(Remove-RdsHostPool).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442066%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20Currently%2C%20when%20running%20service%20principal%2C%20the%20name%20does%20not%20come%20up.%20We%20are%20tracking%20this.%20However%2C%20it%20does%20show%20correctly%20that%20it%20is%20an%20RDS%20Owner%20(if%20you%20look%20at%20RoleDefinitionName.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448189%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448189%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20is%20unable%20to%20join%20ADDS%20domain.%3C%2FP%3E%3CP%3EI%20continue%20to%20get%20this%20error%2C%20not%20sure%20why%20as%20I%20am%20able%20to%20spin%20up%20a%20VM%20on%20the%20VNet%20and%20join%20domain%20manually.%20The%20user%20is%20in%20AAD%20DC%20admin%20group.%20Am%20I%20missing%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'....onmicrosoft.com%20'%5C%22.%22%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448238%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318001%22%20target%3D%22_blank%22%3E%40heng008%3C%2FA%3E%26nbsp%3B%3A%20If%20you%20can%20get%20to%20the%20VM%20(either%20through%20a%20public%20IP%20address%20or%20by%20connecting%20through%20another%20VM%20on%20the%20network)%2C%20you%20should%20be%20able%20to%20check%20out%20the%20errors%20from%20the%20domainJoin%20extension%20log.%20It%20would%20be%20under%20C%3A%5CPackages%5C%20and%20there%20should%20be%20a%20folder%20for%20domainJoin.%20There%20should%20be%20a%20log%20(or%20a%20.status)%20file%20down%20in%20that%20folder%20that%20should%20explicitly%20say%20what%20the%20error%20is.%20(This%20is%20an%20extension%20we%20don't%20manage%2C%20but%20use%2C%20so%20that's%20why%20I'm%20uncertain%20of%20exact%20file%20location.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448356%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448356%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bcould%20you%20explain%20how%20to%20do%20this%2C%20I'm%20not%20much%20of%20a%20powershell%20ninja%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448966%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448966%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20suffered%20from%20this%20not%20matter%20what%20I%20have%20tried%20I%20have%20tried%20every%20step%20even%20with%20someone%20watching%20over%20my%20should%20and%20double%20checkin%20my%20work.%20%26nbsp%3B%20Must%20have%20tried%20and%20failed%2040%20times%2C%20and%20that%20included%20rebuilding%20a%20new%20principle%20tearing%20down%20tenants%20etc...%20%26nbsp%3BI%20was%20doing%20it%20because%20our%20domains%20have%20MFA.%20%26nbsp%3BI%20finally%20said%20I%20am%20just%20going%20to%20try%20that%20link%20that%20says%20to%20Create%20Host%20Pool%20with%20Powershell.%20%26nbsp%3BWas%20done%20in%2015%20minutes....%20%26nbsp%3BThe%20SPN%2FAPP%20needs%20help.%20%26nbsp%3BAlso%2C%20order%20of%20Docs%20seems%20very%20off%20to%20me.%20%26nbsp%3BLink%20to%20PowerShell%20build%20of%20Hostpool%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20a%20host%20pool%20with%20PowerShell%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-468489%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-468489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318430%22%20target%3D%22_blank%22%3E%40ccbrownkc%3C%2FA%3E%26nbsp%3B%3A%20What%20would%20be%20the%20preferred%20order%20to%20help%20complete%20the%20onboarding%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691778%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691778%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691780%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691780%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691916%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3BI%20think%20it%20was%20in%20the%20Microsoft%20docs%20at%20first%20but%20not%20sure.%20But%20at%20least%20you%20can%20try%20it%20for%20testing%20purposes%20en%20take%20away%20the%20permissions%20later.%20The%20deployment%20of%20WVD%20won't%20tell%20you%20if%20you%20have%20not%20enough%20permissions%20on%20your%20subscription.%20But%20I%20think%20the%20%22%3CEM%3EVirtual%20Machine%20Contributor%22%26nbsp%3B%3C%2FEM%3Erole%20should%20work%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-693097%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-693097%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3B%3A%20The%20local%20AD%20user%20that%20will%20domain-join%20the%20VMs%20does%20not%20need%20to%20have%20any%20Azure%20permissions%20(my%20test%20tenant%20certainly%20does%20not).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694045%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthen%20how%20is%20it%20able%20to%20push%20PowerShell%20DSC%20commands%3F%20You%20need%20permissions%20on%20your%20Azure%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694556%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20hostpool%20succeeded%2C%20domain%20joining%20with%20a%20local%20AD%20user%20(not%20AAD%20sync'ed)%20with%20no%20permissions%20but%20joining%20computers%20to%20my%20local%20AD.%20Exactly%20the%20behaviour%20I%20was%20hoping%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20tell%20about%20the%20PS%20DSC%20question%2C%20but%20all%20lights%20are%20green%20and%20I%20take%20that%20as%20a%20good%20sign.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698451%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3A%20The%20permission%20to%20retrieve%20and%20run%20DSC%20is%20authorized%20when%20you%20run%20the%20template.%20Afterwards%2C%20as%20long%20as%20the%20VM%20can%20reach%20out%20and%20download%20the%20DSC%20package%2C%20it%20will%20run%20it%20(not%20exactly%20sure%20if%20it%20runs%20in%20the%20context%20of%20the%20local%20admin%20or%20the%20Azure%20VM%20Agent).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981808%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981808%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20tried%20so%20many%20different%20ways%20and%20nothing%20works.%20I%20noticed%20you%20said%20if%20the%20user%20account%20have%20MFA%20the%20script%20wont%20work.%20Is%20this%20the%20same%20case%20for%20an%20ad%20domain-join%20error%20when%20deploying%20a%20hostpool%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018253%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20am%20having%20the%20same%20issue.%20I%20am%20using%20the%20default%20name%20for%20the%20group.%20I%20am%20using%20admin%20account%20with%20global%20enterprise%20right.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157935iA4B688CDC133E9E3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.jpeg%22%20title%3D%22clipboard_image_0.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018271%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018271%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F445329%22%20target%3D%22_blank%22%3E%40Masoud515%3C%2FA%3E%26nbsp%3B%3A%20Does%20that%20user%20have%20a%20valid%20role%20assignment%3F%20Can%20you%20run%26nbsp%3B%3CSTRONG%3EGet-RdsRoleAssignment%3C%2FSTRONG%3E%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E

I have tried so many different ways and nothing works. I noticed you said if the user account have MFA the script wont work. Is this the same case for an ad domain-join error when deploying a hostpool?  

@christianmontoya 

@christianmontoya I am having the same issue. I am using the default name for the group. I am using admin account with global enterprise right. 

 

clipboard_image_0.jpeg

@Masoud515 : Does that user have a valid role assignment? Can you run Get-RdsRoleAssignment ?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies