Error: User is not authorized to query the management service

%3CLINGO-SUB%20id%3D%22lingo-sub-388955%22%20slang%3D%22en-US%22%3EError%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-388955%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20following%20the%20directions%20below%2C%20I%20always%20run%20into%20an%20error%20related%20to%20querying%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-azure-marketplace%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EError%20message%20from%20the%20Azure%20portal%3A%3C%2FP%3E%3CP%3E%22error%22%3A%20%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20logged%20in%20as%20a%20user%20that%20in%20the%20global%20admin%20role%20in%20Azure%20AD%2C%20and%20it's%20also%20a%20user%20in%20the%20Windows%20Virtual%20Desktop%20enterprise%20application.%26nbsp%3B%20I've%20consented%20to%20the%20graph%20and%20Azure%20AD%20permissions%20under%20the%20enterprise%20app%20as%20well%2C%20any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-394531%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-394531%22%20slang%3D%22en-US%22%3EMaybe%20it%20helps%20someone%20getting%20WVD%20up%20and%20running%3A%20%3CA%20href%3D%22https%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ferjenrijnders.nl%2F2019%2F04%2F04%2Fhow-to-deploy-windows-virtual-desktop-in-azure%2F%3C%2FA%3E%20Using%20the%20service%20principal%20with%20the%20correct%20permissions%20worked%20for%20me.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391007%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391007%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Yes%2C%20I%20definitely%20support%20the%20last%20message%2C%20that%20one%20of%20our%20goals%20is%20to%20have%20all%20of%20this%20functionality%20straight%20from%20the%20Azure%20portal%2C%20without%20having%20to%20hop%20around%20everywhere.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20for%20all%20of%20the%20feedback%2C%20and%20keep%20it%20coming!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390256%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3A%20Just%20to%20clarify%2C%20the%20%22tenant%20group%22%20name%20should%20always%20be%20%22Default%20Tenant%20Group%22.%20Only%20in%20very%20few%20circumstances%20does%20this%20change.%20But%20yes%2C%20you%20always%20need%20to%20provide%20the%20same%20%22tenant%22%20name%20everywhere%20you%20go.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-390175%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-390175%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20work%20around%20this%20issue.%26nbsp%3B%20Here%20is%20what%20I%20noted%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Regardless%20of%20account%2C%20you%20don't%20seem%20to%20be%20able%20to%20delete%20existing%20tenant%20groups%20once%20their%20created%20using%20the%20Remove-RdsTenant%20account.%26nbsp%3B%20I%20always%20get%20the%20%22user%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20error%20no%20matter%20what%20I%20do.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Also%2C%20one%20of%20the%20steps%20I%20may%20have%20missed%20the%20first%20time%20is%20that%20the%20tenant%20group%20name%20you%20create%20via%20PowerShell%20has%20to%20match%20to%20what%20you%20create%20via%20the%20Azure%20portal.%26nbsp%3B%20After%20creating%20a%20new%20tenant%20group%20in%20Powershell%20separate%20from%20the%20default%20one%2C%20it%20worked%20when%20I%20referenced%20the%20new%20tenant%20group%20name%20in%20the%20Azure%20portal.%26nbsp%3B%20Hopefully%20at%20some%20point%2C%20Microsoft%20will%20have%20an%20end-to-end%20solution%20for%20creating%20the%20tenant%2C%20tenant%20group%20name%2C%20and%20host%20pool%20all%20within%20the%20portal.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389534%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389534%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20checked%20those%20steps%20again%20and%20I'm%20still%20not%20sure%20what%20I'm%20missing.%26nbsp%3B%20I%20reproduced%20the%20error%20outside%20of%20the%20template%20in%20PowerShell%20by%20doing%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Created%20a%20new%20user%20account%20in%20Azure%20AD%20and%20put%20it%20in%20the%20TenantCreator%20role%20for%20Windows%20Virtual%20Desktop.%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Opened%20PowerShell%20as%20an%20admin%2C%20and%20added%20%2F%20logged%20into%20the%20account%20above%20using%20Add-RdsAccount%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20Attempted%20to%20call%20Remove-RdsTenant%20as%20part%20of%20clean%20up%20to%20try%20and%20see%20if%20I%20could%20execute%20the%20template%20from%20scratch%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20857px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F100276i61575B333C2ECC9E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20title%3D%222019-03-27%2012_28_22-Administrator_%20Windows%20PowerShell.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389532%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389532%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue%20too%20after%20following%20the%20instructions.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BNew-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20-AzureSubscriptionId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%3CBR%20%2F%3ENew-RdsTenant%20%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%3CBR%20%2F%3EActivityId%3A%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx%3CBR%20%2F%3EPowershell%20commands%20to%20diagnose%20the%20failure%3A%3CBR%20%2F%3EGet-RdsDiagnosticActivities%20-ActivityId%20xxxxxxx-9dec-485a-82ee-xxxxxxxxxx%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20New-RdsTenant%20-Name%20'projectstest'%20-AadTenantId%20xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20FromStdErr%3A%20(Microsoft.RDInf...nt.NewRdsTenant%3ANewRdsTenant)%20%5BNew-RdsTenant%5D%2C%20RdsPowerSh%3CBR%20%2F%3EellException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20UnauthorizedAccess%2CMicrosoft.RDInfra.RDPowershell.Tenant.NewRdsTenant%3CBR%20%2F%3EFollowed%20the%20guide%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%3C%2FP%3E%3CP%3ETurned%20off%20MFA%20for%20the%20account.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EGranted%20permissions%20for%20client%20and%20server%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3EGranted%20permissions%20here%20for%20Virtual%20desktop%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faad.portal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faad.portal.azure.com%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389502%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389502%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F28489%22%20target%3D%22_blank%22%3E%40Patrick%20F%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F172194%22%20target%3D%22_blank%22%3E%40Seth%20Zwicker%3C%2FA%3E%26nbsp%3B%3A%20The%20reason%20you%20see%20the%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20from%20the%20DSC%20extension%20is%20because%20the%20user%20who%20you%20provided%20in%20the%20last%20blade%20(where%20you%20also%20defined%20your%20Windows%20Virtual%20Desktop%20tenant%20name)%20does%20not%20have%20permissions%20in%20the%20tenant%20that%20you%20specified.%20A%20couple%20things%20you%20can%20check%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDid%20you%20create%20a%20tenant%20from%20these%20steps%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fvirtual-desktop%2Ftenant-setup-azure-active-directory%3C%2FA%3E%26nbsp%3B%3F%3C%2FLI%3E%0A%3CLI%3ECan%20you%20login%20to%20Windows%20Virtual%20Desktop%20with%20the%20username%20you%20provided%20in%20the%20last%20blade%20of%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E%2C%20and%20does%20it%20require%20MFA%20to%20login%3F%20If%20that%20account%20does%20require%20MFA%2C%20it%20will%20not%20work%20when%20running%20as%20part%20of%20the%20script%20because%20there's%20no%20UI%20to%20prompt%20you%20for%20that%20second%20factor.%3C%2FLI%3E%0A%3CLI%3EAfter%20logging%20in%20with%20that%20user%20account%2C%20can%20you%20run%20%22Get-RdsTenant%22%20to%20make%20sure%20that%20same%20Windows%20Virtual%20Desktop%20tenant%20shows%20appears%3F%3C%2FLI%3E%0A%3CLI%3EDouble%2Ftriple%20check%20that%20you%20entered%20the%20right%20values%20in%20the%20%3CA%20title%3D%22Windows%20Virtual%20Desktop%20-%20Provision%20a%20host%20pool%22%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%23create%2Frds.wvd-provision-host-poolpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Marketplace%20offering%3C%2FA%3E.%20For%20the%20most%20part%2C%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20group%20name%3C%2FSTRONG%3E%20should%20remain%20as%20%22Default%20Tenant%20Group%22%20and%20make%20sure%20to%20enter%20the%20%3CSTRONG%3EWindows%20Virtual%20Desktop%20tenant%20name%3C%2FSTRONG%3E%20you%20created%20earlier%2C%20not%20a%20new%20one.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThanks%20for%20testing%20and%20your%20patience%20here.%20We're%20compiling%20this%20same%20information%20and%20generating%20a%20Troubleshooting%20guide%20that%20hopefully%20should%20help%20you%20get%20unblocked%20yourself!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389290%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389290%22%20slang%3D%22en-US%22%3ECould%20this%20be%20my%20problem%3F%20The%20instructions%20point%20to%20infrastructure%20requirements%20which%20says%20it%20needs%20the%20following%20things.....%3CBR%20%2F%3E-An%20Azure%20Active%20Directory%3CBR%20%2F%3E-A%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%3CBR%20%2F%3E-An%20Azure%20subscription%2C%20containing%20a%20virtual%20network%20that%20either%20contains%20or%20is%20connected%20to%20the%20Windows%20Server%20Active%20Directory.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20don't%20have%20a%20local%20ad%20synced%20to%20azure%20ad.%20I%20only%20have%20azure%20ad.%3CBR%20%2F%3EThe%20instructions%20seems%20to%20refer%20that%20you%20need%20all%20of%20it.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389180%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389180%22%20slang%3D%22en-US%22%3EI'm%20getting%20the%20exact%20same%20thing.%20Any%20news%20or%20updates%20on%20this%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389127%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389127%22%20slang%3D%22en-US%22%3EI%20have%20the%20same%20problem.%20Does%20anyone%20have%20some%20ideas%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426101%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bfirstly%20thank%20you%20for%20pulling%20together%20that%20post%20and%20the%20associated%20PowerShell.%20It%20certainly%20makes%20the%20first%20steps%20for%20setting%20up%20WVD%20easier.%20However%2C%20my%20efforts%20in%20this%20are%20still%20failing%20on%20that%20last%20step%20in%20the%20Azure%20deployment%20%2Fdscextension%20with%20the%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%3CSPAN%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FSPAN%3Efailed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20exactly%20what%20the%20step%20is%20doing%3F%20I've%20remoted%20on%20to%20the%20VM%20which%20gets%20created%20and%20tired%20trawling%20through%20the%20event%20logs%20but%20there%20are%20no%20more%20details.%20I%20have%20also%20tried%20using%20just%20a%20UPN%20rather%20than%20your%20suggestion%20of%20service%20principle.%20It%20is%20a%20real%20head%20scratcher!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20going%20to%20go%20off%20and%20create%20a%20brand%20new%20AAD%20tenant%20and%20AAD%20DS%20resource%20just%20to%20rule%20out%20anything%20related%20to%20our%20existing%20corporate%20AAD%20tenant.%20Wish%20me%20luck%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-426876%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-426876%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20Thanks%20and%20welcome.%20What%20is%20the%20result%20of%20this%20command%3F%3CBR%20%2F%3EGet-RdsRoleAssignment%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20should%20set%20something%20like%20this.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20421px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107547iF5D2043B8BCA6EFF%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22rdsowner.jpg%22%20title%3D%22rdsowner.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEspecially%2C%20the%20appid%20must%20be%20the%20same%20as%20the%20app%20you%20created%20earlier%3A%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20AppID%20must%20be%20the%20same%20as%20the%20app%20you%20visited%20in%20the%20Azure%20Portal%2C%20creating%20te%20new%20key%20and%20used%20during%20the%20deployment%20of%20the%20Azure%20Marketplace%20WVD%20template.%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427067%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427067%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHey%20i%20am%20also%20have%20the%20same%20issue%20i%20followed%20both%20the%20microsoft%20guide%20and%20Erjen%20guild%20and%20failing%20on%20the%26nbsp%3B%3CSPAN%3EDSCextension.%20I%20am%20thinking%20the%20problem%20is%20with%26nbsp%3BAADDS.%20Has%20anyone%20made%20it%20work%20with%20AADDS%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CP%20class%3D%221554901958191%22%3Ethanks%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427093%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%20I%20have%20not%20tested%20with%20AAD%20DS%2C%20but%20from%20what%20I%20know%2C%20in%20the%20preview%20version%20you%20need%20a%20working%20AD%20Connect%2C%20meaning%20that%20you%20can%20only%20use%20an%20onprem%20AD.%20I%20hope%20they%20remove%20it%20from%20the%20production%20version.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427249%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427249%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%2C%26nbsp%3Bthank%20you%20for%20the%20prompt%20reply.%20Given%20the%20number%20of%20times%20I've%20run%20this%20now%2C%20I%20actually%20get%205%20RoleAssigmentIds%20returned...oops.%20How%20do%20I%20tidy%20those%20up%3F%20Using%20Remove-RdsRoleAssigment%20I%20guess%3F%20I'll%20have%20a%20crack%20at%20that%20later...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20last%20one%20in%20the%20list%20though%20is%20the%20correct%20one%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F107550iE91E6533EF929A01%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20title%3D%22Screenshot%202019-04-10%20at%2014.18.02.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20guess%20the%20only%20difference%20for%20me%20is%20that%20I%20am%20using%20AAD%20DS%20too%2C%20which%20you%20stated%20below%20is%20not%20supported.%20I'm%20not%20sure%20why%20not%3F%20I%20can%20get%20the%20VM%20to%20join%20the%20AAD%20DS%20domain.%20It%20is%20the%20DSCextension%20step%20which%20fails.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyhow%2C%20I'll%20do%20some%20tidying%20up%20and%20also%20keep%20progressing%20with%20my%20greenfield%20AAD%2C%20AAD%20DS%20and%20WVD%20deployment.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427506%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427506%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%2C%20you%20did%20create%20a%20new%20key%20within%20that%20app%20from%20the%20Azure%20Portal%20right%3F%20And%20you%20used%20that%20key%20during%20deployment%20on%20step%204%3F%3C%2FP%3E%3CP%3EAnd%20the%20user%20you%20are%20using%20deploying%20the%20VM's%2C%20does%20have%20owner%20rights%20on%20the%20Azure%20Subscription%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20agree%20it%20should%20work%2C%20however%20with%20AAD%20DS%20you%20don't%20have%20access%20to%20the%20RPC-service.%20So%20that%20could%20be%20the%20reason%20it%20doesn't%20work.%20But%20still%20curious%20if%20you%20checked%20the%20points%20I%20just%20mentioned.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427717%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20pretty%20sure%20the%20issue%20is%20AADDS.%20I%20think%20i%20will%20set%20up%20a%20VM%20for%20active%20directory%20and%20link%20it%20to%20AADDS%20and%20see%20if%20that%20corrrects%20my%20issue%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-427812%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-427812%22%20slang%3D%22en-US%22%3EHi%20Erjen%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20my%20friend%2C%20I%20created%20my%20service%20principles%20key%20and%20used%20that.%20I%20listened%20to%20everything%20you%20wrote%2C%20you%20know%20what%20you%20are%20doing%20so%20I%20didn't%20want%20to%20assume%20anything%20%3A).%20I%20also%20doubled%20checked%20the%20VM%20deployment%20user%20is%20Owner%20on%20the%20subscription%20and%20it%20is.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20really%20appreciate%20your%20help%20with%20this%2C%20thank%20you%20for%20replying.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428060%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428060%22%20slang%3D%22en-US%22%3EAlright%2C%20than%20it%20must%20be%20the%20AAD%20DS%20limitation%20indeed..%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428796%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428796%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20inclined%20to%20agree%20now.%20I've%20finished%20a%20completely%20new%20setup%3A%3C%2FP%3E%3CUL%3E%3CLI%3EAAD%20Tenant%3C%2FLI%3E%3CLI%3EAAD%20DS%20Resource%3C%2FLI%3E%3CLI%3EFollowed%20Erjen's%20excellent%20deployment%20steps%20for%20WVD%3C%2FLI%3E%3C%2FUL%3E%3CP%3EDeployment%20fails%20at%20the%20%2Fdcsextension%26nbsp%3Bstep%20every%20time%20with%20the%20error%20%22%3CSPAN%3EPowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20the%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20still%20not%20sure%20I%20understand%20why%20WVD%20requires%20a%20full-blown%20ADDS%20domain%20controller%20to%20work%3F%20Perhaps%20a%20Microsoft%20representative%20can%20shed%20some%20light%20on%20this%3F%20Anyway%2C%20just%20like%20you%2C%20I%20am%20not%20prepared%20to%20give%20up!%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ENext%20step%20is%20to%20deploy%20an%20IaaS%20ADDS%20VM%20and%20use%20AAD%20Connect%20to%20sync%20up%20to%20AAD%20and%20then%20run%20the%20WVD%20setup%20again...watch%20this%20space!%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-428869%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-428869%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAccording%20to%20Microsoft%20Document%3C%2FP%3E%3CP%3E%3CSPAN%3EA%20Windows%20Server%20Active%20Directory%20in%20sync%20with%20Azure%20Active%20Directory.%20This%20can%20be%20enabled%20through%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EAzure%20AD%20Connect%3C%2FLI%3E%3CLI%3EAzure%20AD%20Domain%20Services%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI%20am%20trying%20to%20see%20how%20that%20works%20I%20didn't%20know%20you%20can%20create%20a%20new%20Windows%20Server%20Active%20Directory%20and%20sync%20with%20AADDS.%20I%20have%20always%20used%20AD%20Connect.%20Unless%20i%20am%20misunderstanding%20the%20requirements%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429027%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429027%22%20slang%3D%22en-US%22%3EYeah%2C%20I%20was%20after%20the%20why%3F%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429482%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429482%22%20slang%3D%22en-US%22%3EMaybe%20check%20if%20there%20is%20a%20conditional%20access%20policy%20applying%20to%20the%20admin%20account%20you%20specified%20in%20the%20deployment%20steps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429865%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429865%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26347%22%20target%3D%22_blank%22%3E%40Stavros%20Mitchell%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%20%3A%20Yes%2C%20you%20would%20always%20use%20Azure%20AD%20Connect%20to%20synchronize%20your%20Windows%20Server%20AD%20up%20to%20Azure%20AD.%20However%2C%20if%20you%20are%20a%20cloud%20organization%20and%20have%20no%20Windows%20Server%20AD%2C%20then%20you%20can%20use%20Azure%20AD%20Domain%20Services%20to%20create%20a%20managed%20Windows%20Server%20AD%20on%20the%20virtual%20network%20that%20would%20have%20the%20same%20users%20as%20your%20Azure%20AD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20intent%20was%20that%20these%20are%20each%20mechanisms%20that%20will%20allow%20the%20users%20to%20be%20recognized%20both%20%22in%20the%20cloud%22%20and%20%22on-prem%22.%20We%20can%20change%20the%20wording%20to%20make%20that%20more%20clear.%20Open%20to%20suggestions!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-429962%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-429962%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318397%22%20target%3D%22_blank%22%3E%40andrewstollery%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eok%20so%20i%20got%20it%20to%20work%20with%20only%20AADDS%20i%20followed%20this%20guide.%20I%20think%20my%20issue%20was%20the%20users%20i%20was%20putting%20to%20allowe.%20I%20left%20it%20blank%20this%20time%20and%20it%20worked%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.rebeladmin.com%2F2019%2F04%2Fstep-step-guide-azure-windows-virtual-desktop-preview%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430513%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430513%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20also%20having%20many%20of%20the%20same%20issues%20covered%20in%20this%20thread%20trying%20to%20deploy%20Windows%20Virtual%20Desktop%20Preview.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20followed%20all%20of%20the%20directions%20linked%20in%20this%20thread%2C%20including%20Erjen's%20very%20useful%20blog%20post%20and%20I%20am%20still%20getting%20the%20dreaded%20%22User%20is%20not%20authorized%20to%20query%20the%20management%20service%22%20failure%20during%20the%20DSCExtension%20part%20of%20the%20deployment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20user%20is%20a%20subscription%20owner%2C%20I%20have%20my%20regular%20AD%20synced%20with%20AAD%20complete%20with%20password%20hash%20sync%2C%20I%20created%20Service%20Principles%20with%20RDS%20Owner%20permissions%2Froles%20and%20used%20the%20APP%20IDs%20and%20Keys%20for%20the%20Tenant%20Admin%20credentials.%20I%20have%20tried%20deploying%20without%20any%20default%20users%20set%2C%20but%20despite%20all%20of%20this%20I%20still%20get%20the%20same%20failure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20extremely%20frustrating.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-430616%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-430616%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20I%20try%20and%20deploy%20using%20my%20subscription%20owner%20UPN%20for%20the%20Tenant%20Admin%20credentials%20instead%20of%20the%20Service%20principle%20credentials%2C%20I%20get%20a%20different%20error%20on%20the%20DSCExtention%20phase%20of%20the%20deployment...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EVM%20has%20reported%20a%20failure%20when%20processing%20extension%20'dscextension'.%20Error%20message%3A%20%5C%5C%5C%22DSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20One%20or%20more%20errors%20occurred.%20The%20SendConfigurationApply%20function%20did%20not%20succeed%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431085%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431085%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%20%3A%20Are%20you%20able%20to%20install%20the%20PowerShell%20locally%20and%20try%20logging%20in%20with%20that%20service%20principal%3F%20Also%2C%20the%20other%20requirement%20for%20the%20service%20principal%20is%20that%20it%20must%20be%20created%20as%20a%20%22Converged%20app%22%20or%20as%20%22multi-tenant%22%20because%20our%20service%20currently%20uses%20a%203rd%20party%20Azure%20AD%20application%20for%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-431922%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431922%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20created%20the%20service%20principal%20following%20the%20guidelines%20laid%20out%20in%20Erjens%20blog%20post.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20two%20methods%2C%20one%20where%20you%20create%20the%20tenant%20and%20service%20principle%20as%20illustrated%20in%20Erjen's%20directions%2C%20another%20where%20you%20use%20the%20Managed%20Domain%20as%20the%20tenant%20and%20use%20Managed%20Domain%20admin%20credentials%2C%20both%20give%20the%20same%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20how%20I%20am%20creating%20the%20tenant...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20host%3D%22%22%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432101%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432101%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20my%20tenant%20like%20this....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew-RdsTenant%20-Name%20%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%20-AadTenantId%20%3CAAD%20id%3D%22%22%3E%20-AzureSubscriptionId%20%3CAZ%20sub%3D%22%22%20id%3D%22%22%3E%3C%2FAZ%3E%3C%2FAAD%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%24myTenantGroupName%20%3D%20%22Default%20Tenant%20Group%22%3CBR%20%2F%3E%24myTenantName%20%3D%20%22%3CMY%20tenant%3D%22%22%20name%3D%22%22%3E%22%20%23As%20you%20used%20in%20the%20previous%20step%3CBR%20%2F%3E%24hostpoolname%20%3D%20%22%3CMY%20pool%3D%22%22%20name%3D%22%22%3E%22%3C%2FMY%3E%3C%2FMY%3E%3C%2FP%3E%3CP%3E%23%20create%20the%20service%20principal%3A%3CBR%20%2F%3E%24aadContext%20%3D%20Connect-AzureAD%3CBR%20%2F%3E%24svcPrincipal%20%3D%20New-AzureADApplication%20-AvailableToOtherTenants%20%24true%20-DisplayName%20%22Windows%20Virtual%20Desktop%20Svc%20Principal%22%3CBR%20%2F%3E%24svcPrincipalCreds%20%3D%20New-AzureADApplicationPasswordCredential%20-ObjectId%20%24svcPrincipal.ObjectId%3C%2FP%3E%3CP%3E%23%20Don't%20change%20the%20URL%20below.%3CBR%20%2F%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3ESet-RdsContext%20-TenantGroupName%20%24myTenantGroupName%3CBR%20%2F%3ENew-RdsHostPool%20-TenantName%20%24myTenantName%20-name%20%24hostpoolname%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ENew-RdsRoleAssignment%20-RoleDefinitionName%20%22RDS%20Owner%22%20-ApplicationId%20%24svcPrincipal.AppId%20-TenantGroupName%20%24myTenantGroupName%20-TenantName%20%24myTenantName%20-HostPoolName%20%24hostpoolname%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432198%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432198%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BSee%20above%20regarding%20Tenant%20and%20Service%20Principal%20creation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20trying%20to%20log%20in%20to%20Azure%20with%20the%20service%20principal%20I%20seem%20to%20be%20able%20to%20log%20in%20and%20see%20the%20Account%20ID%2C%20a%20blank%20subscriptionName%20(%3F%3F%3F%3F)%2C%20TenantID%20and%20Environment%20listed%20as%20AzureCloud%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-432885%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-432885%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20recreated%20the%20RDS%20Owner%20role%20for%20the%20Service%20Principle%20Tenant%2C%20and%20I%20still%20get%20this%20error...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EDSC%20Configuration%20'FirstSessionHost'%20completed%20with%20error(s).%20Following%20are%20the%20first%20few%3A%20PowerShell%20DSC%20resource%20MSFT_ScriptResource%20failed%20to%20execute%20Set-TargetResource%20functionality%20with%20error%20message%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-434635%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-434635%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3BDid%20you%20run%20the%26nbsp%3BAdd-RdsAccount%20command%3F%20To%20run%20using%20Service%20Principal%20credentials%20I%20run%20the%20command%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdd-RdsAccount%20-DeploymentUrl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%20-ServicePrincipal%20-AadTenantId%20%22%5Badd-your-id%5D%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20enter%20the%20Service%20Principal%20AppId%20and%20password.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERunning%20get-rdscontext%20should%20then%20show%20the%20username%20as%20ServicePrincipal.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438498%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438498%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F286984%22%20target%3D%22_blank%22%3E%40tilikumtim%3C%2FA%3E%26nbsp%3BI%20went%20through%20the%20steps%20you%20provided%2C%20however%20my%20username%20is%20returned%20as%20blank%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%20C%3A%5CWINDOWS%5Csystem32%26gt%3B%20get-rdscontext%3C%2FP%3E%3CP%3EDeploymentUrl%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BTenantGroupName%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20UserName%3CBR%20%2F%3E-------------%20---------------%20--------%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%26nbsp%3B%3C%2FA%3E%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Default%20Tenant%20Group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20role%20assignment%20looks%20like%20this..%3CBR%20%2F%3E%3CBR%20%2F%3ERoleAssignmentId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EScope%20%3A%20%2FDefault%20Tenant%20Group%2FLMRVVDTENANT%2FLMRVpoolname%3CBR%20%2F%3ETenantGroupName%20%3A%20Default%20Tenant%20Group%3CBR%20%2F%3ETenantName%20%3A%20LMRVVDTENANT%3CBR%20%2F%3EHostPoolName%20%3A%20LMRVpoolname%3CBR%20%2F%3EDisplayName%20%3A%3CBR%20%2F%3ESignInName%20%3A%3CBR%20%2F%3EGroupObjectId%20%3A%3CBR%20%2F%3EAADTenantId%20%3A%3CBR%20%2F%3EAppId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3ERoleDefinitionName%20%3A%20RDS%20Owner%3CBR%20%2F%3ERoleDefinitionId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectId%20%3A%20xxxxx-xxxx-xxxx-xxxx-xxxxxxx%3CBR%20%2F%3EObjectType%20%3A%20ServicePrincipal%3CBR%20%2F%3EItem%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20inspected%20the%20Manifest%20for%20my%20Svc%20Principal%20and%20noticed%20on%20line%202%20that%20the%20appRoles%20value%20was%20empty%2C%20is%20that%20correct%3F%20Should%20it%20read%20%22RDS%20Owner%22%20%3F%3F%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439069%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439069%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20completely%20remaking%20my%20Tenant%20and%20Service%20Principal%20I%20was%20finally%20able%20to%20to%20get%20a%20successful%20deployment%20using%20my%20UPN%20rather%20than%20AppID%20and%20secret.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20now%2C%20I%20see%20two%20Session%20Desktops%20(with%20no%20icon)%20in%20my%20rdweb%20feed%2C%20double%20clicking%20either%20of%20them%20errors%20out%20trying%20to%20launch%20an%20rdp%20file%20at%20an%20invalid%20path%20local%20path%20on%20my%20PC.%20Instead%20of%20having%20my%20proper%20name%20of%20%22xxx%20xxx%20Dodd%22%20(my%20user%20folder)%20at%20the%20beginning%20of%20the%20path%2C%20it%20simply%20has%20%22Dodd%22%20so%20obviously%20it%20cannot%20find%20the%20RDP%20file.%20When%20I%20drill%20down%20to%20where%20the%20RDP%20files%20are%20stored%20(along%20with%20their%20icons)%20and%20try%20and%20manually%20launch%20them%20with%20the%20remote%20desktop%20app%20the%20connection%20also%20fails%20with%20the%20error%3CBR%20%2F%3E%3CBR%20%2F%3E%22The%20RDP%20file%20provided%20is%20invalid.%20Make%20sure%20the%20file%20contains%20the%20full%20address%20and%20is%20formatted%20properly%20or%20contact%20your%20admin%20for%20help%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20when%20in%20Office%20365%2C%20launching%20the%20'Windows%20Virtual%20Desktop'%20app%20resolves%20to%20an%20invalid%20URL%20after%20first%20trying%20to%20hit%20a%20session%20at%20account.activedirectory.windowsazure.com%2Fapplications%2Fsignin%2Fxxxxxx%20and%20ends%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmrs-prod.ame.gbl%2Fmrs-RDInfra-prod%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-439297%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-439297%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20able%20to%20successfully%20connect%20through%20the%20web%20client%20at%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%2Findex.html%3C%2FA%3E%3C%2FP%3E%3CP%3Ealthough%20I%20still%20see%20the%20ghost%20'session%20desktop'%20icon%20in%20my%20feed%20from%20previous%20failed%20deployment%20attempts%2C%20so%20I%20need%20to%20find%20a%20way%20to%20kill%20that%20as%20that%20doesn't%20work.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20progress!!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442058%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442058%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20You%20can%20remove%20that%20extra%20%22session%20desktop%22%20by%20finding%20that%20host%20pool%20and%20app%20group%2C%20and%20running%20%22Remove-RdsAppGroupUser%22.%20You%20can%20then%20also%20remove%20the%20app%20group%20(Remove-RdsAppGroup)%20and%20host%20pool%20(Remove-RdsHostPool).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-442066%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-442066%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3B%3A%20Currently%2C%20when%20running%20service%20principal%2C%20the%20name%20does%20not%20come%20up.%20We%20are%20tracking%20this.%20However%2C%20it%20does%20show%20correctly%20that%20it%20is%20an%20RDS%20Owner%20(if%20you%20look%20at%20RoleDefinitionName.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448189%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448189%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20deployment%20is%20unable%20to%20join%20ADDS%20domain.%3C%2FP%3E%3CP%3EI%20continue%20to%20get%20this%20error%2C%20not%20sure%20why%20as%20I%20am%20able%20to%20spin%20up%20a%20VM%20on%20the%20VNet%20and%20join%20domain%20manually.%20The%20user%20is%20in%20AAD%20DC%20admin%20group.%20Am%20I%20missing%20something%20here%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%20%22code%22%3A%20%22VMExtensionProvisioningError%22%2C%20%22message%22%3A%20%22VM%20has%20reported%20a%20failure%20when%20processing%20extension%20'joindomain'.%20Error%20message%3A%20%5C%22Exception(s)%20occured%20while%20joining%20Domain%20'....onmicrosoft.com%20'%5C%22.%22%20%7D%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448238%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20Unable%20to%20join%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448238%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318001%22%20target%3D%22_blank%22%3E%40heng008%3C%2FA%3E%26nbsp%3B%3A%20If%20you%20can%20get%20to%20the%20VM%20(either%20through%20a%20public%20IP%20address%20or%20by%20connecting%20through%20another%20VM%20on%20the%20network)%2C%20you%20should%20be%20able%20to%20check%20out%20the%20errors%20from%20the%20domainJoin%20extension%20log.%20It%20would%20be%20under%20C%3A%5CPackages%5C%20and%20there%20should%20be%20a%20folder%20for%20domainJoin.%20There%20should%20be%20a%20log%20(or%20a%20.status)%20file%20down%20in%20that%20folder%20that%20should%20explicitly%20say%20what%20the%20error%20is.%20(This%20is%20an%20extension%20we%20don't%20manage%2C%20but%20use%2C%20so%20that's%20why%20I'm%20uncertain%20of%20exact%20file%20location.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448356%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448356%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bcould%20you%20explain%20how%20to%20do%20this%2C%20I'm%20not%20much%20of%20a%20powershell%20ninja%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-448966%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-448966%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20suffered%20from%20this%20not%20matter%20what%20I%20have%20tried%20I%20have%20tried%20every%20step%20even%20with%20someone%20watching%20over%20my%20should%20and%20double%20checkin%20my%20work.%20%26nbsp%3B%20Must%20have%20tried%20and%20failed%2040%20times%2C%20and%20that%20included%20rebuilding%20a%20new%20principle%20tearing%20down%20tenants%20etc...%20%26nbsp%3BI%20was%20doing%20it%20because%20our%20domains%20have%20MFA.%20%26nbsp%3BI%20finally%20said%20I%20am%20just%20going%20to%20try%20that%20link%20that%20says%20to%20Create%20Host%20Pool%20with%20Powershell.%20%26nbsp%3BWas%20done%20in%2015%20minutes....%20%26nbsp%3BThe%20SPN%2FAPP%20needs%20help.%20%26nbsp%3BAlso%2C%20order%20of%20Docs%20seems%20very%20off%20to%20me.%20%26nbsp%3BLink%20to%20PowerShell%20build%20of%20Hostpool%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fcreate-host-pools-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECreate%20a%20host%20pool%20with%20PowerShell%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-468489%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-468489%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318430%22%20target%3D%22_blank%22%3E%40ccbrownkc%3C%2FA%3E%26nbsp%3B%3A%20What%20would%20be%20the%20preferred%20order%20to%20help%20complete%20the%20onboarding%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691778%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691778%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691780%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691780%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3Bwrote%3A%3CP%3EAnd%20make%20sure%2C%20that%20the%20user%20you%20are%20using%20joining%20the%20VM's%20to%20the%20domain%2C%20is%20also%20having%20Owner%20access%20on%20the%20Azure%20subscription.%3CBR%20%2F%3EIt%20needs%20to%20be%20able%20to%20run%20PowerShell%20DSC%20on%20the%20VM's.%3C%2FP%3E%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F35253%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20any%20pointers%20to%20this%3F%20I%20have%20not%20seen%20this%20mentioned%20anywhere%20else%2C%20and%20I%20am%20not%20satisfied%20with%20having%20a%20local%20AD%20user%20have%20owner%20rights%20on%20a%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20other%20reasons%20I%20am%20going%20to%20remove%20my%20WVD%20setup%20and%20start%20over%2C%20and%20I%20want%20to%20be%20sure%20to%20do%20every%20little%20bit%20right%20this%20time%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691916%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691916%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3BI%20think%20it%20was%20in%20the%20Microsoft%20docs%20at%20first%20but%20not%20sure.%20But%20at%20least%20you%20can%20try%20it%20for%20testing%20purposes%20en%20take%20away%20the%20permissions%20later.%20The%20deployment%20of%20WVD%20won't%20tell%20you%20if%20you%20have%20not%20enough%20permissions%20on%20your%20subscription.%20But%20I%20think%20the%20%22%3CEM%3EVirtual%20Machine%20Contributor%22%26nbsp%3B%3C%2FEM%3Erole%20should%20work%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-693097%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-693097%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F360177%22%20target%3D%22_blank%22%3E%40Oletho%3C%2FA%3E%26nbsp%3B%3A%20The%20local%20AD%20user%20that%20will%20domain-join%20the%20VMs%20does%20not%20need%20to%20have%20any%20Azure%20permissions%20(my%20test%20tenant%20certainly%20does%20not).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694045%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3Bthen%20how%20is%20it%20able%20to%20push%20PowerShell%20DSC%20commands%3F%20You%20need%20permissions%20on%20your%20Azure%20tenant.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-694556%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-694556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20hostpool%20succeeded%2C%20domain%20joining%20with%20a%20local%20AD%20user%20(not%20AAD%20sync'ed)%20with%20no%20permissions%20but%20joining%20computers%20to%20my%20local%20AD.%20Exactly%20the%20behaviour%20I%20was%20hoping%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cannot%20tell%20about%20the%20PS%20DSC%20question%2C%20but%20all%20lights%20are%20green%20and%20I%20take%20that%20as%20a%20good%20sign.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-698451%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-698451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F70174%22%20target%3D%22_blank%22%3E%40Erjen%20Rijnders%3C%2FA%3E%26nbsp%3B%3A%20The%20permission%20to%20retrieve%20and%20run%20DSC%20is%20authorized%20when%20you%20run%20the%20template.%20Afterwards%2C%20as%20long%20as%20the%20VM%20can%20reach%20out%20and%20download%20the%20DSC%20package%2C%20it%20will%20run%20it%20(not%20exactly%20sure%20if%20it%20runs%20in%20the%20context%20of%20the%20local%20admin%20or%20the%20Azure%20VM%20Agent).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-981808%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-981808%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20tried%20so%20many%20different%20ways%20and%20nothing%20works.%20I%20noticed%20you%20said%20if%20the%20user%20account%20have%20MFA%20the%20script%20wont%20work.%20Is%20this%20the%20same%20case%20for%20an%20ad%20domain-join%20error%20when%20deploying%20a%20hostpool%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018253%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018253%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3BI%20am%20having%20the%20same%20issue.%20I%20am%20using%20the%20default%20name%20for%20the%20group.%20I%20am%20using%20admin%20account%20with%20global%20enterprise%20right.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F157935iA4B688CDC133E9E3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.jpeg%22%20title%3D%22clipboard_image_0.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1018271%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1018271%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F445329%22%20target%3D%22_blank%22%3E%40Masoud515%3C%2FA%3E%26nbsp%3B%3A%20Does%20that%20user%20have%20a%20valid%20role%20assignment%3F%20Can%20you%20run%26nbsp%3B%3CSTRONG%3EGet-RdsRoleAssignment%3C%2FSTRONG%3E%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1202201%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1202201%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F193704%22%20target%3D%22_blank%22%3E%40Christopher%20Anderson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20an%20exactly%20same%20issue%20before%20(getting%20an%20Error%20message%20of%20%22Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%2C%2C%2C%2C%2C%22%20)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20got%20a%20fixe%20on%20this%20issue%20by%20running%20this%20extra%20powershell%20command%20below%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%3EGet-RdsDiagnosticActivities%20%3C%2FSPAN%3E%3CSPAN%3E-%3C%2FSPAN%3E%3CSPAN%3ETenantName%20%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3Eyour%20tenant%20name%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1253286%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1253286%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20worked%20for%20me%20in%20a%20lab%20environment%3A%3C%2FP%3E%3CP%3EI%20had%20one%20user%20that%20is%20the%20one%20I%20registered%20Azure%20with%2C%20and%20a%20new%20administrator%20account%20for%20all%20activities.%3C%2FP%3E%3CP%3EThe%20administrator%20had%20all%20roles%2C%20but%20not%20the%20assignment%20TenantCreator.%20So%20I%20added%20this%20to%20the%20administrator.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEnterprise%20applications%20%26gt%3B%20Virtual%20desktop%20%26gt%3B%20users%20and%20groups%20%26gt%3B%20add%20user%20%26gt%3B%20select%20on%20the%20right%20side%20godzilla%20%26gt%3B%20tenantcreator%20(was%20selected%20by%20default%20-%20lab...)%26nbsp%3B%20%26gt%3B%20next%20%26gt%3B%20finish%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20need%20to%20login%20again%20to%20apply%26nbsp%3B%3C%2FP%3E%3CP%3EOpen%20a%20new%20Powershell%3C%2FP%3E%3CP%3ELogin%20with%3C%2FP%3E%3CP%3EAdd-RdsAccount%20-deploymenturl%20%22%3CA%20href%3D%22https%3A%2F%2Frdbroker.wvd.microsoft.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdbroker.wvd.microsoft.com%3C%2FA%3E%22%3CBR%20%2F%3Erun%26nbsp%3B%3CBR%20%2F%3ENew-RdsTenant%20-Name%20%3CTENANTNAME%3E%20-AadTenantId%20%3CAADTENANTID%3E%20-AzureSubscriptionID%20%3CAZURESUBSCRIPTIONID%3E%3C%2FAZURESUBSCRIPTIONID%3E%3C%2FAADTENANTID%3E%3C%2FTENANTNAME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1268274%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1268274%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20confirm%20that%20I%20have%20the%20same%20error%20when%20using%20a%20service%20principal%20in%20an%20Azure%20AD%20DS%20environment.%3C%2FP%3E%3CP%3EWe%20didn't%20have%20the%20issue%20with%20an%20AD%20DS%20DC%20installed%20on%20a%20VM%2C%20it%20is%20the%20only%20difference%20I%20have%20noticed%20between%20both%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20know%20if%20it%20can%20help%20but%20I%20have%20noticed%20that%20when%20authenticating%20with%20the%20Service%20Principal%20I%20can%20only%20see%20the%20Service%20Principal%20role%20assignment.%20With%20my%20user%20account%20I%20do%20see%20all%20role%20assignments%20even%20if%20we%20both%20have%20the%20%22RDS%20Owner%22%20role.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20left%2C%20my%20user%20account%2C%20in%20the%20right%20my%20service%20principal.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jamesdld_0-1585666764300.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F180906iC247160CAFB13A25%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Jamesdld_0-1585666764300.png%22%20alt%3D%22Jamesdld_0-1585666764300.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJames%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270362%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270362%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F318712%22%20target%3D%22_blank%22%3E%40GriffinDodd%3C%2FA%3E%26nbsp%3Bmy%20deployment%20was%20successful%20and%26nbsp%3B%20I%20cannot%20see%20any%20deployed%20resources%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frdweb.wvd.microsoft.com%2Fwebclient%3C%2FA%3E%26nbsp%3Bbut%20I%20can%20access%20the%20WVD%20VM%20through%20RDP%20login%20which%20got%20deployed%20through%20WVD%20setup.%20please%20suggest.%20I%20used%20same%20user%20with%20Global%20Admin%20access%20of%20AD%20and%20also%20assigned%20the%20tenant%20creator%20permissions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1270364%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1270364%22%20slang%3D%22en-US%22%3Echristianmontoya%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271969%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F602201%22%20target%3D%22_blank%22%3E%40chhabrag%3C%2FA%3E%26nbsp%3B%3A%20Did%20you%20assign%20the%20user%20to%20the%20application%20group%20(Add-RdsAppGroupUser)%3F%20This%20is%20the%20action%20that%20assigns%20to%20the%20user%20and%20makes%20it%20visible%20in%20whichever%20client%20you%20use.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1273312%22%20slang%3D%22en-US%22%3ERe%3A%20Error%3A%20User%20is%20not%20authorized%20to%20query%20the%20management%20service%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1273312%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F305776%22%20target%3D%22_blank%22%3E%40christianmontoya%3C%2FA%3E%26nbsp%3B%20Thanks%20I%20sorted%20that%20by%20assigning%20the%20user%20access%20but%20after%20deployment%20not%20able%20to%20access%20remote%20session%20and%20last%20night%20I%20shutdown%20the%20VM%20and%20today%20morning%20getting%20error%20and%20found%20no%20heartbeat.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

When following the directions below, I always run into an error related to querying the management service.

 

https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace

 

Error message from the Azure portal:

"error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'dscextension'. Error message: \"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.

 

I'm logged in as a user that in the global admin role in Azure AD, and it's also a user in the Windows Virtual Desktop enterprise application.  I've consented to the graph and Azure AD permissions under the enterprise app as well, any ideas?

59 Replies
Highlighted
I have the same problem. Does anyone have some ideas?
Highlighted
I'm getting the exact same thing. Any news or updates on this?
Highlighted
Could this be my problem? The instructions point to infrastructure requirements which says it needs the following things.....
-An Azure Active Directory
-A Windows Server Active Directory in sync with Azure Active Directory.
-An Azure subscription, containing a virtual network that either contains or is connected to the Windows Server Active Directory.

I don't have a local ad synced to azure ad. I only have azure ad.
The instructions seems to refer that you need all of it.
Highlighted

@Christopher Anderson , @Patrick F , @Seth Zwicker : The reason you see the "User is not authorized to query the management service" from the DSC extension is because the user who you provided in the last blade (where you also defined your Windows Virtual Desktop tenant name) does not have permissions in the tenant that you specified. A couple things you can check:

  • Did you create a tenant from these steps: https://docs.microsoft.com/azure/virtual-desktop/tenant-setup-azure-active-directory ?
  • Can you login to Windows Virtual Desktop with the username you provided in the last blade of Azure Marketplace offering, and does it require MFA to login? If that account does require MFA, it will not work when running as part of the script because there's no UI to prompt you for that second factor.
  • After logging in with that user account, can you run "Get-RdsTenant" to make sure that same Windows Virtual Desktop tenant shows appears?
  • Double/triple check that you entered the right values in the Azure Marketplace offering. For the most part, the Windows Virtual Desktop tenant group name should remain as "Default Tenant Group" and make sure to enter the Windows Virtual Desktop tenant name you created earlier, not a new one.

Thanks for testing and your patience here. We're compiling this same information and generating a Troubleshooting guide that hopefully should help you get unblocked yourself!

Highlighted

@Christopher Anderson 

 

I have the same issue too after following the instructions.

 

 New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx -AzureSubscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
New-RdsTenant : User is not authorized to query the management service.
ActivityId: xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId xxxxxxx-9dec-485a-82ee-xxxxxxxxxx
At line:1 char:1
+ New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf...nt.NewRdsTenant:NewRdsTenant) [New-RdsTenant], RdsPowerSh
ellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Tenant.NewRdsTenant
Followed the guide here https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

Turned off MFA for the account.


Granted permissions for client and server here https://rdweb.wvd.microsoft.com/

Granted permissions here for Virtual desktop https://aad.portal.azure.com

Highlighted

@christianmontoya I checked those steps again and I'm still not sure what I'm missing.  I reproduced the error outside of the template in PowerShell by doing the following:

 

1.  Created a new user account in Azure AD and put it in the TenantCreator role for Windows Virtual Desktop.

2.  Opened PowerShell as an admin, and added / logged into the account above using Add-RdsAccount

3.  Attempted to call Remove-RdsTenant as part of clean up to try and see if I could execute the template from scratch2019-03-27 12_28_22-Administrator_ Windows PowerShell.png

Highlighted

I was able to work around this issue.  Here is what I noted:

 

1.  Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account.  I always get the "user is not authorized to query the management service" error no matter what I do.

2.  Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal.  After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal.  Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal. 

@Christopher Anderson : Just to clarify, the "tenant group" name should always be "Default Tenant Group". Only in very few circumstances does this change. But yes, you always need to provide the same "tenant" name everywhere you go.

Highlighted

@Christopher Anderson : Yes, I definitely support the last message, that one of our goals is to have all of this functionality straight from the Azure portal, without having to hop around everywhere.

 

Thank you for all of the feedback, and keep it coming!

Highlighted
Maybe it helps someone getting WVD up and running: https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/ Using the service principal with the correct permissions worked for me.
Highlighted

@Erjen Rijnders, firstly thank you for pulling together that post and the associated PowerShell. It certainly makes the first steps for setting up WVD easier. However, my efforts in this are still failing on that last step in the Azure deployment /dscextension with the error:

 

" PowerShell DSC resource MSFT_ScriptResource  failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."

 

I'm wondering exactly what the step is doing? I've remoted on to the VM which gets created and tired trawling through the event logs but there are no more details. I have also tried using just a UPN rather than your suggestion of service principle. It is a real head scratcher!

 

I'm going to go off and create a brand new AAD tenant and AAD DS resource just to rule out anything related to our existing corporate AAD tenant. Wish me luck :)

Highlighted

Hi @andrewstollery, Thanks and welcome. What is the result of this command?
Get-RdsRoleAssignment

You should set something like this.

rdsowner.jpg

 

Especially, the appid must be the same as the app you created earlier:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

That AppID must be the same as the app you visited in the Azure Portal, creating te new key and used during the deployment of the Azure Marketplace WVD template.

And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.

Highlighted

@Erjen Rijnders 

 

Hey i am also have the same issue i followed both the microsoft guide and Erjen guild and failing on the DSCextension. I am thinking the problem is with AADDS. Has anyone made it work with AADDS?

 


thanks

Highlighted

@Stavros Mitchell, I have not tested with AAD DS, but from what I know, in the preview version you need a working AD Connect, meaning that you can only use an onprem AD. I hope they remove it from the production version.

Highlighted

Hi @Erjen Rijnders, thank you for the prompt reply. Given the number of times I've run this now, I actually get 5 RoleAssigmentIds returned...oops. How do I tidy those up? Using Remove-RdsRoleAssigment I guess? I'll have a crack at that later...

 

The last one in the list though is the correct one:

Screenshot 2019-04-10 at 14.18.02.png

 

I guess the only difference for me is that I am using AAD DS too, which you stated below is not supported. I'm not sure why not? I can get the VM to join the AAD DS domain. It is the DSCextension step which fails.

 

Anyhow, I'll do some tidying up and also keep progressing with my greenfield AAD, AAD DS and WVD deployment.

Highlighted

@andrewstollery, you did create a new key within that app from the Azure Portal right? And you used that key during deployment on step 4?

And the user you are using deploying the VM's, does have owner rights on the Azure Subscription?

I agree it should work, however with AAD DS you don't have access to the RPC-service. So that could be the reason it doesn't work. But still curious if you checked the points I just mentioned.

Highlighted

@andrewstollery 

 

I am pretty sure the issue is AADDS. I think i will set up a VM for active directory and link it to AADDS and see if that corrrects my issue

 

Highlighted
Hi Erjen,

Yes, my friend, I created my service principles key and used that. I listened to everything you wrote, you know what you are doing so I didn't want to assume anything :). I also doubled checked the VM deployment user is Owner on the subscription and it is.

I really appreciate your help with this, thank you for replying.

Highlighted
Alright, than it must be the AAD DS limitation indeed..