SOLVED
Home

New-RdsRoleAssignment : User is not authorized to query the management service

%3CLINGO-SUB%20id%3D%22lingo-sub-392828%22%20slang%3D%22en-US%22%3ENew-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392828%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20follow%20this%20manual%20to%20create%20service%20principal%20name%20to%20use%20it%20on%20Azure%20Portal%20in%20the%20blade%20of%20creating%20new%20single%20host%20pool%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-service-principal-role-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-service-principal-role-powershell%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20command%20I%20am%20executing%20using%20Global%20Admin.%3C%2FP%3E%3CP%3ENew%20App%20Registration%20was%20created%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%20but%20according%20to%20manual%20next%20step%20it%20is%20to%20assign%20RDS%20Owner%20role%20to%20this%20app.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20doing%20this%20I%20have%20an%20error%3A%3C%2FP%3E%3CP%3E%3CSPAN%3ENew-RdsRoleAssignment%20%3A%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3EUser%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Eis%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Enot%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Eauthorized%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Eto%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Equery%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Ethe%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Emanagement%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22lia-search-match-lithium%20lia-search-match-lithium%22%3Eservice%3C%2FSPAN%3E%3CSPAN%3E.%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAny%20ideas%20what%20I%20missed%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%2F%2FAlexander%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394365%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394365%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F195573%22%20target%3D%22_blank%22%3E%40Stefan%20Georgiev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20used%20my%20Global%20Admin%20credential.%20And%20the%20same%20account%20when%20I%20am%20checking%20has%20RDS%20Owner%20role%20and%20also%20this%20account%20was%20used%20to%20create%20new%20wvd%20tenant.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%2F%2FAlexander%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394050%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394050%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35027%22%20target%3D%22_blank%22%3E%40alexander%20tikhomirov%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ESo%20this%20fails%20for%20the%20service%20principal%3F%20What%20account%20did%20you%20use%20for%20the%20Add-RdsAccount%20prompt...%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-393782%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-393782%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20same%20error%20when%20I%20tried%20to%20execute%20using%20Global%20admin%20account%20which%20has%20Tenant%3CBR%20%2F%3EGet-RdsDiagnosticActivities%3CBR%20%2F%3E%3CBR%20%2F%3E%2F%2FAlexander%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-406843%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-406843%22%20slang%3D%22en-US%22%3Ewas%20my%20bad%2C%20I%20successfully%20executed%20this%20command%20to%20grant%20permission%20RDS%20Owner%20to%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%20I%20have%20just%20used%20wrong%20TenantName%3CBR%20%2F%3E%3CBR%20%2F%3E%2F%2FAlexander%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-756808%22%20slang%3D%22en-US%22%3ERe%3A%20New-RdsRoleAssignment%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-756808%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35027%22%20target%3D%22_blank%22%3E%40alexander%20tikhomirov%3C%2FA%3E%26nbsp%3B%20You%20are%20obviously%20trying%20to%20follow%20the%20same%20guide%20I%20am%20trying%20to%20follow.%20Did%20you%20use%20you%20Azure%20AD%20tenant%20name%20here%3A%26nbsp%3B%24myTenantName%20%3D%20%22blahblahblah.onmicrosoft.com%22%20or%20did%20you%20use%20what%20was%20defined%20in%20this%20command%26nbsp%3BNew-RdsTenant%20-Name%20blahblahblahblahblah%3F%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
alexander tikhomirov
Contributor

Hello

I am trying to follow this manual to create service principal name to use it on Azure Portal in the blade of creating new single host pool 

https://docs.microsoft.com/en-us/azure/virtual-desktop/create-service-principal-role-powershell

 

All command I am executing using Global Admin.

New App Registration was created "Windows Virtual Desktop Svc Principal" but according to manual next step it is to assign RDS Owner role to this app.

 

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName

 

After doing this I have an error:

New-RdsRoleAssignment : User is not authorized to query the management service."

 

Any ideas what I missed?

//Alexander

 

5 Replies

The same error when I tried to execute using Global admin account which has Tenant
Get-RdsDiagnosticActivities

//Alexander

@alexander tikhomirov 

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName

 

So this fails for the service principal? What account did you use for the Add-RdsAccount prompt...

@Stefan Georgiev 

I used my Global Admin credential. And the same account when I am checking has RDS Owner role and also this account was used to create new wvd tenant.

 

//Alexander

Solution
was my bad, I successfully executed this command to grant permission RDS Owner to "Windows Virtual Desktop Svc Principal" I have just used wrong TenantName

//Alexander

@alexander tikhomirov  You are obviously trying to follow the same guide I am trying to follow. Did you use you Azure AD tenant name here: $myTenantName = "blahblahblah.onmicrosoft.com" or did you use what was defined in this command New-RdsTenant -Name blahblahblahblahblah????

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies