Forum Discussion
Error: User is not authorized to query the management service
I was able to work around this issue. Here is what I noted:
1. Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account. I always get the "user is not authorized to query the management service" error no matter what I do.
2. Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal. After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal. Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal.
MicrosoftChristopher Anderson : Yes, I definitely support the last message, that one of our goals is to have all of this functionality straight from the Azure portal, without having to hop around everywhere.
Thank you for all of the feedback, and keep it coming!
- Maybe it helps someone getting WVD up and running: https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/ Using the service principal with the correct permissions worked for me.
Erjen Rijnders, firstly thank you for pulling together that post and the associated PowerShell. It certainly makes the first steps for setting up WVD easier. However, my efforts in this are still failing on that last step in the Azure deployment /dscextension with the error:
" PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."
I'm wondering exactly what the step is doing? I've remoted on to the VM which gets created and tired trawling through the event logs but there are no more details. I have also tried using just a UPN rather than your suggestion of service principle. It is a real head scratcher!
I'm going to go off and create a brand new AAD tenant and AAD DS resource just to rule out anything related to our existing corporate AAD tenant. Wish me luck :)
Hi andrewstollery, Thanks and welcome. What is the result of this command?
Get-RdsRoleAssignment
You should set something like this.Especially, the appid must be the same as the app you created earlier:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname
That AppID must be the same as the app you visited in the Azure Portal, creating te new key and used during the deployment of the Azure Marketplace WVD template.
And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.
