Error: User is not authorized to query the management service

Copper Contributor

When following the directions below, I always run into an error related to querying the management service.

 

https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace

 

Error message from the Azure portal:

"error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'dscextension'. Error message: \"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.

 

I'm logged in as a user that in the global admin role in Azure AD, and it's also a user in the Windows Virtual Desktop enterprise application.  I've consented to the graph and Azure AD permissions under the enterprise app as well, any ideas?

59 Replies

@heng008 : If you can get to the VM (either through a public IP address or by connecting through another VM on the network), you should be able to check out the errors from the domainJoin extension log. It would be under C:\Packages\ and there should be a folder for domainJoin. There should be a log (or a .status) file down in that folder that should explicitly say what the error is. (This is an extension we don't manage, but use, so that's why I'm uncertain of exact file location.)

@Christian_Montoya could you explain how to do this, I'm not much of a powershell ninja

I have suffered from this not matter what I have tried I have tried every step even with someone watching over my should and double checkin my work.   Must have tried and failed 40 times, and that included rebuilding a new principle tearing down tenants etc...  I was doing it because our domains have MFA.  I finally said I am just going to try that link that says to Create Host Pool with Powershell.  Was done in 15 minutes....  The SPN/APP needs help.  Also, order of Docs seems very off to me.  Link to PowerShell build of Hostpool Create a host pool with PowerShell

@Christopher Anderson 

@ccbrownkc : What would be the preferred order to help complete the onboarding?

 


@Erjen Rijnders wrote:

And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.


@Erjen Rijnders 

 

Do you have any pointers to this? I have not seen this mentioned anywhere else, and I am not satisfied with having a local AD user have owner rights on a subscription.

 

For other reasons I am going to remove my WVD setup and start over, and I want to be sure to do every little bit right this time :)

 

Thanks!

@Oletho I think it was in the Microsoft docs at first but not sure. But at least you can try it for testing purposes en take away the permissions later. The deployment of WVD won't tell you if you have not enough permissions on your subscription. But I think the "Virtual Machine Contributor" role should work too.

@Oletho : The local AD user that will domain-join the VMs does not need to have any Azure permissions (my test tenant certainly does not). 

@Christian_Montoya then how is it able to push PowerShell DSC commands? You need permissions on your Azure tenant.

@Erjen Rijnders @christianmontoya

 

My hostpool succeeded, domain joining with a local AD user (not AAD sync'ed) with no permissions but joining computers to my local AD. Exactly the behaviour I was hoping for.

 

I cannot tell about the PS DSC question, but all lights are green and I take that as a good sign.

@Erjen Rijnders : The permission to retrieve and run DSC is authorized when you run the template. Afterwards, as long as the VM can reach out and download the DSC package, it will run it (not exactly sure if it runs in the context of the local admin or the Azure VM Agent).

I have tried so many different ways and nothing works. I noticed you said if the user account have MFA the script wont work. Is this the same case for an ad domain-join error when deploying a hostpool?  

@Christian_Montoya 

@Christian_Montoya I am having the same issue. I am using the default name for the group. I am using admin account with global enterprise right. 

 

clipboard_image_0.jpeg

@Masoud515 : Does that user have a valid role assignment? Can you run Get-RdsRoleAssignment ?

@Christopher Anderson 

I had an exactly same issue before (getting an Error message of "Error: User is not authorized to query the management service,,,,," )

 

But I got a fixe on this issue by running this extra powershell command below

 

Get-RdsDiagnosticActivities -TenantName <your tenant name>

What worked for me in a lab environment:

I had one user that is the one I registered Azure with, and a new administrator account for all activities.

The administrator had all roles, but not the assignment TenantCreator. So I added this to the administrator.

 

Enterprise applications > Virtual desktop > users and groups > add user > select on the right side godzilla > tenantcreator (was selected by default - lab...)  > next > finish

 

You need to login again to apply 

Open a new Powershell

Login with

Add-RdsAccount -deploymenturl "https://rdbroker.wvd.microsoft.com"
run 
New-RdsTenant -Name <TenantName> -AadTenantId <AadTenantID/TenantID> -AzureSubscriptionID <AzureSubscriptionID>

 

Hi everyone,

 

I confirm that I have the same error when using a service principal in an Azure AD DS environment.

We didn't have the issue with an AD DS DC installed on a VM, it is the only difference I have noticed between both configuration.

 

I don't know if it can help but I have noticed that when authenticating with the Service Principal I can only see the Service Principal role assignment. With my user account I do see all role assignments even if we both have the "RDS Owner" role.

 

In the left, my user account, in the right my service principal.

Jamesdld_0-1585666764300.png

 

 

Regards,

James

@GriffinDodd my deployment was successful and  I cannot see any deployed resources on https://rdweb.wvd.microsoft.com/webclient but I can access the WVD VM through RDP login which got deployed through WVD setup. please suggest. I used same user with Global Admin access of AD and also assigned the tenant creator permissions. 

@chhabrag : Did you assign the user to the application group (Add-RdsAppGroupUser)? This is the action that assigns to the user and makes it visible in whichever client you use.

@Christian_Montoya  Thanks I sorted that by assigning the user access but after deployment not able to access remote session and last night I shutdown the VM and today morning getting error and found no heartbeat.