Forum Discussion
Error: User is not authorized to query the management service
Erjen Rijnders, firstly thank you for pulling together that post and the associated PowerShell. It certainly makes the first steps for setting up WVD easier. However, my efforts in this are still failing on that last step in the Azure deployment /dscextension with the error:
" PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."
I'm wondering exactly what the step is doing? I've remoted on to the VM which gets created and tired trawling through the event logs but there are no more details. I have also tried using just a UPN rather than your suggestion of service principle. It is a real head scratcher!
I'm going to go off and create a brand new AAD tenant and AAD DS resource just to rule out anything related to our existing corporate AAD tenant. Wish me luck :)
Hi andrewstollery, Thanks and welcome. What is the result of this command?
Get-RdsRoleAssignment
You should set something like this.Especially, the appid must be the same as the app you created earlier:
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname
That AppID must be the same as the app you visited in the Azure Portal, creating te new key and used during the deployment of the Azure Marketplace WVD template.
And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.
Erjen Rijnders wrote:And make sure, that the user you are using joining the VM's to the domain, is also having Owner access on the Azure subscription.
It needs to be able to run PowerShell DSC on the VM's.Do you have any pointers to this? I have not seen this mentioned anywhere else, and I am not satisfied with having a local AD user have owner rights on a subscription.
For other reasons I am going to remove my WVD setup and start over, and I want to be sure to do every little bit right this time :-)
Thanks!
- Christian_Montoya
Microsoft
Oletho : The local AD user that will domain-join the VMs does not need to have any Azure permissions (my test tenant certainly does not).
Hi Erjen Rijnders, thank you for the prompt reply. Given the number of times I've run this now, I actually get 5 RoleAssigmentIds returned...oops. How do I tidy those up? Using Remove-RdsRoleAssigment I guess? I'll have a crack at that later...
The last one in the list though is the correct one:
I guess the only difference for me is that I am using AAD DS too, which you stated below is not supported. I'm not sure why not? I can get the VM to join the AAD DS domain. It is the DSCextension step which fails.
Anyhow, I'll do some tidying up and also keep progressing with my greenfield AAD, AAD DS and WVD deployment.
I am pretty sure the issue is AADDS. I think i will set up a VM for active directory and link it to AADDS and see if that corrrects my issue
Hey i am also have the same issue i followed both the microsoft guide and Erjen guild and failing on the DSCextension. I am thinking the problem is with AADDS. Has anyone made it work with AADDS?
thanks
Stavros Mitchell, I have not tested with AAD DS, but from what I know, in the preview version you need a working AD Connect, meaning that you can only use an onprem AD. I hope they remove it from the production version.
