Mar 26 2019 10:55 AM
When following the directions below, I always run into an error related to querying the management service.
https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace
Error message from the Azure portal:
"error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'dscextension'. Error message: \"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.
I'm logged in as a user that in the global admin role in Azure AD, and it's also a user in the Windows Virtual Desktop enterprise application. I've consented to the graph and Azure AD permissions under the enterprise app as well, any ideas?
Apr 12 2019 02:04 PM
@heng008 : If you can get to the VM (either through a public IP address or by connecting through another VM on the network), you should be able to check out the errors from the domainJoin extension log. It would be under C:\Packages\ and there should be a folder for domainJoin. There should be a log (or a .status) file down in that folder that should explicitly say what the error is. (This is an extension we don't manage, but use, so that's why I'm uncertain of exact file location.)
Apr 12 2019 02:18 PM
@Christian_Montoya could you explain how to do this, I'm not much of a powershell ninja
Apr 12 2019 06:13 PM
I have suffered from this not matter what I have tried I have tried every step even with someone watching over my should and double checkin my work. Must have tried and failed 40 times, and that included rebuilding a new principle tearing down tenants etc... I was doing it because our domains have MFA. I finally said I am just going to try that link that says to Create Host Pool with Powershell. Was done in 15 minutes.... The SPN/APP needs help. Also, order of Docs seems very off to me. Link to PowerShell build of Hostpool Create a host pool with PowerShell
Apr 17 2019 01:20 PM
@ccbrownkc : What would be the preferred order to help complete the onboarding?
Jun 13 2019 10:24 PM
@Erjen Rijnders wrote:And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.
Do you have any pointers to this? I have not seen this mentioned anywhere else, and I am not satisfied with having a local AD user have owner rights on a subscription.
For other reasons I am going to remove my WVD setup and start over, and I want to be sure to do every little bit right this time :)
Thanks!
Jun 14 2019 12:19 AM
@Oletho I think it was in the Microsoft docs at first but not sure. But at least you can try it for testing purposes en take away the permissions later. The deployment of WVD won't tell you if you have not enough permissions on your subscription. But I think the "Virtual Machine Contributor" role should work too.
Jun 14 2019 09:19 AM
@Oletho : The local AD user that will domain-join the VMs does not need to have any Azure permissions (my test tenant certainly does not).
Jun 14 2019 11:44 PM
@Christian_Montoya then how is it able to push PowerShell DSC commands? You need permissions on your Azure tenant.
Jun 15 2019 09:38 PM
@Erjen Rijnders @christianmontoya
My hostpool succeeded, domain joining with a local AD user (not AAD sync'ed) with no permissions but joining computers to my local AD. Exactly the behaviour I was hoping for.
I cannot tell about the PS DSC question, but all lights are green and I take that as a good sign.
Jun 17 2019 03:03 PM
@Erjen Rijnders : The permission to retrieve and run DSC is authorized when you run the template. Afterwards, as long as the VM can reach out and download the DSC package, it will run it (not exactly sure if it runs in the context of the local admin or the Azure VM Agent).
Nov 04 2019 02:38 PM
I have tried so many different ways and nothing works. I noticed you said if the user account have MFA the script wont work. Is this the same case for an ad domain-join error when deploying a hostpool?
Nov 19 2019 10:26 AM
@Christian_Montoya I am having the same issue. I am using the default name for the group. I am using admin account with global enterprise right.
Nov 19 2019 10:30 AM
@Masoud515 : Does that user have a valid role assignment? Can you run Get-RdsRoleAssignment ?
Feb 28 2020 11:39 PM
I had an exactly same issue before (getting an Error message of "Error: User is not authorized to query the management service,,,,," )
But I got a fixe on this issue by running this extra powershell command below
Get-RdsDiagnosticActivities -TenantName <your tenant name>
Mar 25 2020 11:27 AM
What worked for me in a lab environment:
I had one user that is the one I registered Azure with, and a new administrator account for all activities.
The administrator had all roles, but not the assignment TenantCreator. So I added this to the administrator.
Enterprise applications > Virtual desktop > users and groups > add user > select on the right side godzilla > tenantcreator (was selected by default - lab...) > next > finish
You need to login again to apply
Open a new Powershell
Login with
Add-RdsAccount -deploymenturl "https://rdbroker.wvd.microsoft.com"
run
New-RdsTenant -Name <TenantName> -AadTenantId <AadTenantID/TenantID> -AzureSubscriptionID <AzureSubscriptionID>
Mar 31 2020 08:02 AM
Hi everyone,
I confirm that I have the same error when using a service principal in an Azure AD DS environment.
We didn't have the issue with an AD DS DC installed on a VM, it is the only difference I have noticed between both configuration.
I don't know if it can help but I have noticed that when authenticating with the Service Principal I can only see the Service Principal role assignment. With my user account I do see all role assignments even if we both have the "RDS Owner" role.
In the left, my user account, in the right my service principal.
Regards,
James
Apr 01 2020 12:20 AM
@GriffinDodd my deployment was successful and I cannot see any deployed resources on https://rdweb.wvd.microsoft.com/webclient but I can access the WVD VM through RDP login which got deployed through WVD setup. please suggest. I used same user with Global Admin access of AD and also assigned the tenant creator permissions.
Apr 01 2020 12:20 AM
Apr 01 2020 08:41 AM
@chhabrag : Did you assign the user to the application group (Add-RdsAppGroupUser)? This is the action that assigns to the user and makes it visible in whichever client you use.
Apr 01 2020 06:09 PM
@Christian_Montoya Thanks I sorted that by assigning the user access but after deployment not able to access remote session and last night I shutdown the VM and today morning getting error and found no heartbeat.