Home

New-RdsAppGroup error

%3CLINGO-SUB%20id%3D%22lingo-sub-959212%22%20slang%3D%22en-US%22%3ENew-RdsAppGroup%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-959212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20deployed%20a%20host%20pool%2C%20and%20have%20no%20problem%20logging%20in%20and%20installing%20apps.%26nbsp%3B%20Now%20I%20want%20to%20set%20up%20RemoteApp%2C%20but%20when%20I%20run%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsAppGroup%20tenantname.onmicrosoft.com%20Hostpoolname%20Appgroupname%20-ResourceType%20%22RemoteApp%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20get%20this%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsAppGroup%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3CBR%20%2F%3EActivityId%3A%202864fdf4-7092-4584-a0f8-4fbb8dd6f49b%3CBR%20%2F%3EPowershell%20commands%20to%20diagnose%20the%20failure%3A%3CBR%20%2F%3EGet-RdsDiagnosticActivities%20-ActivityId%202864fdf4-7092-4584-a0f8-4fbb8dd6f49b%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20New-RdsAppGroup%20tenantname.onmicrosoft.com%20Hostpoolname%20Appgroupnam%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20FromStdErr%3A%20(Microsoft.RDInf....NewRdsAppGroup%3ANewRdsAppGroup)%20%5BNew-RdsAppGroup%5D%2C%20RdsPow%3CBR%20%2F%3EerShellException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20UnauthorizedAccess%2CMicrosoft.RDInfra.RDPowershell.AppGroup.NewRdsAppGroup%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20running%20the%20suggested%26nbsp%3BGet-RdsDiagnosticActivities%20returns%20the%20same%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20running%20this%20as%20the%20global%20admin%2C%20who%20is%20also%20an%20RDS%20Owner.%26nbsp%3B%20Appreciate%20any%20help...%20thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-963755%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsAppGroup%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-963755%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431201%22%20target%3D%22_blank%22%3E%40DavidMagrathSmith%3C%2FA%3E%26nbsp%3B%3A%20Can%20you%20start%20by%20running%20%22Get-RdsRoleAssignment%22%20and%20specifying%20the%20tenant%3F%20Then%20with%20the%20tenant%20and%20host%20pool%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20it%20might%20just%20be%20that%20you%20left%20the%20PowerShell%20session%20open%2C%20in%20which%20case%20you%20need%20to%20log%20out%20and%20log%20back%20in%20to%20refresh%20your%20Azure%20AD%20token.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-963901%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsAppGroup%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-963901%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BHere's%20what%20I%20have%20for%20role%20assignments.%26nbsp%3B%20The%20second%20one%20(the%20service%20principal)%20was%20never%20used%20because%20the%20host%20pool%20creation%20on%20the%20marketplace%20would%20always%20fail%20with%20the%20same%20%22%3CSPAN%3EUser%20is%20not%20authorized%20to%20query%20the%20management%20service%22%26nbsp%3B%3C%2FSPAN%3Eerror.%26nbsp%3B%20So%20I%20ended%20up%20creating%20the%20host%20pool%20with%20my%20UPN%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERoleAssignmentId%20%3A%20302c9ef6-f57a-4be1-2187-08d751db72f6%3CBR%20%2F%3EScope%20%3A%20%2FDefault%20Tenant%20Group%2FTenantname%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3ETenantName%20%3A%20Tenantname%3CBR%20%2F%3EDisplayName%20%3A%20Amy%20Sfakios%3CBR%20%2F%3ESignInName%20%3A%20amy%40altaxprep.com%3CBR%20%2F%3EGroupObjectId%20%3A%20cb94329e-f164-446d-9108-8fab6a39f41d%3CBR%20%2F%3EAADTenantId%20%3A%20ca33ca83-5314-4ab0-81a8-c23a97718057%3CBR%20%2F%3EAppId%20%3A%20fa4345a4-a730-4230-84a8-7d9651b86739%3CBR%20%2F%3ERoleDefinitionName%20%3A%20RDS%20Owner%3CBR%20%2F%3ERoleDefinitionId%20%3A%203b14baea-8d82-4610-f5da-08d623dd1cc4%3CBR%20%2F%3EObjectId%20%3A%20d82af3d3-4e0c-400d-f5fc-08d750e946f0%3CBR%20%2F%3EObjectType%20%3A%20User%3CBR%20%2F%3EItem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERoleAssignmentId%20%3A%2035a5f471-3313-4797-c489-08d756666d7a%3CBR%20%2F%3EScope%20%3A%20%2FDefault%20Tenant%20Group%2FTenantname%2FHostpoolname%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3ETenantName%20%3A%20Tenantname%3CBR%20%2F%3EHostPoolName%20%3A%20Hostpoolname%3CBR%20%2F%3EDisplayName%20%3A%3CBR%20%2F%3ESignInName%20%3A%3CBR%20%2F%3EGroupObjectId%20%3A%2000000000-0000-0000-0000-000000000000%3CBR%20%2F%3EAADTenantId%20%3A%20ca33ca83-5314-4ab0-81a8-c23a97718057%3CBR%20%2F%3EAppId%20%3A%207f1a85b3-49d1-4a06-a88c-da005bdb3b43%3CBR%20%2F%3ERoleDefinitionName%20%3A%20RDS%20Owner%3CBR%20%2F%3ERoleDefinitionId%20%3A%203b14baea-8d82-4610-f5da-08d623dd1cc4%3CBR%20%2F%3EObjectId%20%3A%2009a7de92-caf2-48ad-06bb-08d75666623e%3CBR%20%2F%3EObjectType%20%3A%20ServicePrincipal%3CBR%20%2F%3EItem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20the%20problem%20is%20that%20the%20role%20assignment%20for%20my%20UPN%20is%20not%20scoped%20to%20the%20pool%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EDave%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1000770%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsAppGroup%20error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1000770%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F431201%22%20target%3D%22_blank%22%3E%40DavidMagrathSmith%3C%2FA%3E%26nbsp%3B%3A%20Did%20you%20get%20any%20further%20on%20this%3F%20Primarily%2C%20it's%20a%20little%20challenging%20to%20troubleshoot%20permissions%2Faccess%20without%20specific%20details.%20If%20you%20have%20official%20support%20through%20Azure%2C%20I'd%20recommend%20going%20that%20way%20and%20they%20might%20be%20able%20to%20get%20down%20to%20the%20root%20cause.%20Just%20a%20notice%20though%3A%20even%20if%20you%20have%20a%20Global%20Admin%20account%2C%20that%26nbsp%3B%3CSTRONG%3Edoes%20not%26nbsp%3B%3C%2FSTRONG%3Eautomatically%20give%20you%20access%20to%20manage%20WVD.%3C%2FP%3E%3C%2FLINGO-BODY%3E
DavidMagrathSmith
New Contributor

Hi,

 

I've deployed a host pool, and have no problem logging in and installing apps.  Now I want to set up RemoteApp, but when I run:

 

New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupname -ResourceType "RemoteApp"

 

I get this error:

 

New-RdsAppGroup : User is not authorized to query the management service.
ActivityId: 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId 2864fdf4-7092-4584-a0f8-4fbb8dd6f49b
At line:1 char:1
+ New-RdsAppGroup tenantname.onmicrosoft.com Hostpoolname Appgroupnam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf....NewRdsAppGroup:NewRdsAppGroup) [New-RdsAppGroup], RdsPow
erShellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.AppGroup.NewRdsAppGroup

 

And running the suggested Get-RdsDiagnosticActivities returns the same error.

 

I'm running this as the global admin, who is also an RDS Owner.  Appreciate any help... thanks!

3 Replies

@DavidMagrathSmith : Can you start by running "Get-RdsRoleAssignment" and specifying the tenant? Then with the tenant and host pool?

 

Also, it might just be that you left the PowerShell session open, in which case you need to log out and log back in to refresh your Azure AD token.

@christianmontoya Here's what I have for role assignments.  The second one (the service principal) was never used because the host pool creation on the marketplace would always fail with the same "User is not authorized to query the management service" error.  So I ended up creating the host pool with my UPN instead.

 

RoleAssignmentId : 302c9ef6-f57a-4be1-2187-08d751db72f6
Scope : /Default Tenant Group/Tenantname
TenantGroupName : Default Tenant Group
TenantName : Tenantname
DisplayName : Amy Sfakios
SignInName : amy@altaxprep.com
GroupObjectId : cb94329e-f164-446d-9108-8fab6a39f41d
AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
AppId : fa4345a4-a730-4230-84a8-7d9651b86739
RoleDefinitionName : RDS Owner
RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
ObjectId : d82af3d3-4e0c-400d-f5fc-08d750e946f0
ObjectType : User
Item :

 

RoleAssignmentId : 35a5f471-3313-4797-c489-08d756666d7a
Scope : /Default Tenant Group/Tenantname/Hostpoolname
TenantGroupName : Default Tenant Group
TenantName : Tenantname
HostPoolName : Hostpoolname
DisplayName :
SignInName :
GroupObjectId : 00000000-0000-0000-0000-000000000000
AADTenantId : ca33ca83-5314-4ab0-81a8-c23a97718057
AppId : 7f1a85b3-49d1-4a06-a88c-da005bdb3b43
RoleDefinitionName : RDS Owner
RoleDefinitionId : 3b14baea-8d82-4610-f5da-08d623dd1cc4
ObjectId : 09a7de92-caf2-48ad-06bb-08d75666623e
ObjectType : ServicePrincipal
Item :

 

Maybe the problem is that the role assignment for my UPN is not scoped to the pool?

 

Thanks,

Dave

@DavidMagrathSmith : Did you get any further on this? Primarily, it's a little challenging to troubleshoot permissions/access without specific details. If you have official support through Azure, I'd recommend going that way and they might be able to get down to the root cause. Just a notice though: even if you have a Global Admin account, that does not automatically give you access to manage WVD.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies