Error: User is not authorized to query the management service

Christian_Montoya  Thanks I sorted that by assigning the user access but after deployment not able to access remote session and last night I shutdown the VM and today morning getting error and found no heartbeat. 

chhabrag : Did you assign the user to the application group (Add-RdsAppGroupUser)? This is the action that assigns to the user and makes it visible in whichever client you use.

GriffinDodd my deployment was successful and  I cannot see any deployed resources on https://rdweb.wvd.microsoft.com/webclient but I can access the WVD VM through RDP login which got deployed through WVD setup. please suggest. I used same user with Global Admin access of AD and also assigned the tenant creator permissions. 

Christian_Montoya could you explain how to do this, I'm not much of a powershell ninja

GriffinDodd : Currently, when running service principal, the name does not come up. We are tracking this. However, it does show correctly that it is an RDS Owner (if you look at RoleDefinitionName.

GriffinDodd : You can remove that extra "session desktop" by finding that host pool and app group, and running "Remove-RdsAppGroupUser". You can then also remove the app group (Remove-RdsAppGroup) and host pool (Remove-RdsHostPool).

I have been able to successfully connect through the web client at 
https://rdweb.wvd.microsoft.com/webclient/index.html

although I still see the ghost 'session desktop' icon in my feed from previous failed deployment attempts, so I need to find a way to kill that as that doesn't work. 

But progress!!!

After completely remaking my Tenant and Service Principal I was finally able to to get a successful deployment using my UPN rather than AppID and secret.

However now, I see two Session Desktops (with no icon) in my rdweb feed, double clicking either of them errors out trying to launch an rdp file at an invalid path local path on my PC. Instead of having my proper name of "xxx xxx Dodd" (my user folder) at the beginning of the path, it simply has "Dodd" so obviously it cannot find the RDP file. When I drill down to where the RDP files are stored (along with their icons) and try and manually launch them with the remote desktop app the connection also fails with the error

"The RDP file provided is invalid. Make sure the file contains the full address and is formatted properly or contact your admin for help"

Also when in Office 365, launching the 'Windows Virtual Desktop' app resolves to an invalid URL after first trying to hit a session at account.activedirectory.windowsazure.com/applications/signin/xxxxxx and ends at https://mrs-prod.ame.gbl/mrs-RDInfra-prod

tilikumtim I went through the steps you provided, however my username is returned as blank, 

PS C:\WINDOWS\system32> get-rdscontext

DeploymentUrl                                         TenantGroupName                            UserName
------------- --------------- --------
https://rdbroker.wvd.microsoft.com        Default Tenant Group

My role assignment looks like this..

RoleAssignmentId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
Scope : /Default Tenant Group/LMRVVDTENANT/LMRVpoolname
TenantGroupName : Default Tenant Group
TenantName : LMRVVDTENANT
HostPoolName : LMRVpoolname
DisplayName :
SignInName :
GroupObjectId :
AADTenantId :
AppId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
RoleDefinitionName : RDS Owner
RoleDefinitionId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
ObjectId : xxxxx-xxxx-xxxx-xxxx-xxxxxxx
ObjectType : ServicePrincipal
Item :

I inspected the Manifest for my Svc Principal and noticed on line 2 that the appRoles value was empty, is that correct? Should it read "RDS Owner" ???

GriffinDodd Did you run the Add-RdsAccount command? To run using Service Principal credentials I run the command: 

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" -ServicePrincipal -AadTenantId "[add-your-id]"

Then enter the Service Principal AppId and password.

Running get-rdscontext should then show the username as ServicePrincipal.

Christian_Montoya I recreated the RDS Owner role for the Service Principle Tenant, and I still get this error...

Christian_Montoya See above regarding Tenant and Service Principal creation.

On trying to log in to Azure with the service principal I seem to be able to log in and see the Account ID, a blank subscriptionName (????), TenantID and Environment listed as AzureCloud

I created my tenant like this....

New-RdsTenant -Name <my tenant name> -AadTenantId <aad id> -AzureSubscriptionId <az sub id>

$myTenantGroupName = "Default Tenant Group"
$myTenantName = "<my tenant name>" #As you used in the previous step
$hostpoolname = "<my pool name>"

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

# Don't change the URL below.
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Set-RdsContext -TenantGroupName $myTenantGroupName
New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

Christian_Montoya I created the service principal following the guidelines laid out in Erjens blog post.

I have tried two methods, one where you create the tenant and service principle as illustrated in Erjen's directions, another where you use the Managed Domain as the tenant and use Managed Domain admin credentials, both give the same errors.

Here is how I am creating the tenant...

New-RdsTenant -Name <my tenant name> -AadTenantId <aad id> -AzureSubscriptionId <AZ sub id>

$myTenantGroupName = "Default Tenant Group"
$myTenantName = "<my tenant name>" #As you used in the previous step
$hostpoolname = "<my host pool name>"

# create the service principal:
$aadContext = Connect-AzureAD
$svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal"
$svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId

# Don't change the URL below.
Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Set-RdsContext -TenantGroupName $myTenantGroupName
New-RdsHostPool -TenantName $myTenantName -name $hostpoolname

New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantGroupName $myTenantGroupName -TenantName $myTenantName -HostPoolName $hostpoolname

GriffinDodd : Are you able to install the PowerShell locally and try logging in with that service principal? Also, the other requirement for the service principal is that it must be created as a "Converged app" or as "multi-tenant" because our service currently uses a 3rd party Azure AD application for authentication.

When I try and deploy using my subscription owner UPN for the Tenant Admin credentials instead of the Service principle credentials, I get a different error on the DSCExtention phase of the deployment...

I am also having many of the same issues covered in this thread trying to deploy Windows Virtual Desktop Preview.

I have followed all of the directions linked in this thread, including Erjen's very useful blog post and I am still getting the dreaded "User is not authorized to query the management service" failure during the DSCExtension part of the deployment.

My deployment user is a subscription owner, I have my regular AD synced with AAD complete with password hash sync, I created Service Principles with RDS Owner permissions/roles and used the APP IDs and Keys for the Tenant Admin credentials. I have tried deploying without any default users set, but despite all of this I still get the same failure.

This is extremely frustrating.

andrewstollery 

ok so i got it to work with only AADDS i followed this guide. I think my issue was the users i was putting to allowe. I left it blank this time and it worked

http://www.rebeladmin.com/2019/04/step-step-guide-azure-windows-virtual-desktop-preview/

Stavros Mitchell andrewstollery : Yes, you would always use Azure AD Connect to synchronize your Windows Server AD up to Azure AD. However, if you are a cloud organization and have no Windows Server AD, then you can use Azure AD Domain Services to create a managed Windows Server AD on the virtual network that would have the same users as your Azure AD.

The intent was that these are each mechanisms that will allow the users to be recognized both "in the cloud" and "on-prem". We can change the wording to make that more clear. Open to suggestions!

andrewstollery 

According to Microsoft Document

A Windows Server Active Directory in sync with Azure Active Directory. This can be enabled through:

• Azure AD Connect
• Azure AD Domain Services

I am trying to see how that works I didn't know you can create a new Windows Server Active Directory and sync with AADDS. I have always used AD Connect. Unless i am misunderstanding the requirements

Hi Stavros Mitchell,

I'm inclined to agree now. I've finished a completely new setup:

• AAD Tenant
• AAD DS Resource
• Followed Erjen's excellent deployment steps for WVD

Deployment fails at the /dcsextension step every time with the error "PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with the error message: User is not authorized to query the management service"

I'm still not sure I understand why WVD requires a full-blown ADDS domain controller to work? Perhaps a Microsoft representative can shed some light on this? Anyway, just like you, I am not prepared to give up! :)

Next step is to deploy an IaaS ADDS VM and use AAD Connect to sync up to AAD and then run the WVD setup again...watch this space!