Forum Discussion
Error: User is not authorized to query the management service
When following the directions below, I always run into an error related to querying the management service.
https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketplace
Error message from the Azure portal:
"error": { "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'dscextension'. Error message: \"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.
I'm logged in as a user that in the global admin role in Azure AD, and it's also a user in the Windows Virtual Desktop enterprise application. I've consented to the graph and Azure AD permissions under the enterprise app as well, any ideas?
Hi everyone,
I confirm that I have the same error when using a service principal in an Azure AD DS environment.
We didn't have the issue with an AD DS DC installed on a VM, it is the only difference I have noticed between both configuration.
I don't know if it can help but I have noticed that when authenticating with the Service Principal I can only see the Service Principal role assignment. With my user account I do see all role assignments even if we both have the "RDS Owner" role.
In the left, my user account, in the right my service principal.
Regards,
James
What worked for me in a lab environment:
I had one user that is the one I registered Azure with, and a new administrator account for all activities.
The administrator had all roles, but not the assignment TenantCreator. So I added this to the administrator.
Enterprise applications > Virtual desktop > users and groups > add user > select on the right side godzilla > tenantcreator (was selected by default - lab...) > next > finish
You need to login again to apply
Open a new Powershell
Login with
Add-RdsAccount -deploymenturl "https://rdbroker.wvd.microsoft.com"
run
New-RdsTenant -Name <TenantName> -AadTenantId <AadTenantID/TenantID> -AzureSubscriptionID <AzureSubscriptionID>I had an exactly same issue before (getting an Error message of "Error: User is not authorized to query the management service,,,,," )
But I got a fixe on this issue by running this extra powershell command below
Get-RdsDiagnosticActivities -TenantName <your tenant name>
I have suffered from this not matter what I have tried I have tried every step even with someone watching over my should and double checkin my work. Must have tried and failed 40 times, and that included rebuilding a new principle tearing down tenants etc... I was doing it because our domains have MFA. I finally said I am just going to try that link that says to Create Host Pool with Powershell. Was done in 15 minutes.... The SPN/APP needs help. Also, order of Docs seems very off to me. Link to PowerShell build of Hostpool Create a host pool with PowerShell
- Christian_Montoya
Microsoft
ccbrownkc : What would be the preferred order to help complete the onboarding?
Hi All,
My deployment is unable to join ADDS domain.
I continue to get this error, not sure why as I am able to spin up a VM on the VNet and join domain manually. The user is in AAD DC admin group. Am I missing something here?
{ "code": "VMExtensionProvisioningError", "message": "VM has reported a failure when processing extension 'joindomain'. Error message: \"Exception(s) occured while joining Domain '....onmicrosoft.com '\"." }
- Christian_Montoya
heng008 : If you can get to the VM (either through a public IP address or by connecting through another VM on the network), you should be able to check out the errors from the domainJoin extension log. It would be under C:\Packages\ and there should be a folder for domainJoin. There should be a log (or a .status) file down in that folder that should explicitly say what the error is. (This is an extension we don't manage, but use, so that's why I'm uncertain of exact file location.)
I have the same issue too after following the instructions.
New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx -AzureSubscriptionId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
New-RdsTenant : User is not authorized to query the management service.
ActivityId: xxxxxxx-9dec-485a-82ee-xxxxxxxxxxx
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId xxxxxxx-9dec-485a-82ee-xxxxxxxxxx
At line:1 char:1
+ New-RdsTenant -Name 'projectstest' -AadTenantId xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : FromStdErr: (Microsoft.RDInf...nt.NewRdsTenant:NewRdsTenant) [New-RdsTenant], RdsPowerSh
ellException
+ FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Tenant.NewRdsTenant
Followed the guide here https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directoryTurned off MFA for the account.
Granted permissions for client and server here https://rdweb.wvd.microsoft.com/Granted permissions here for Virtual desktop https://aad.portal.azure.com
- Christian_Montoya
Christopher Anderson , Patrick F , Seth Zwicker : The reason you see the "User is not authorized to query the management service" from the DSC extension is because the user who you provided in the last blade (where you also defined your Windows Virtual Desktop tenant name) does not have permissions in the tenant that you specified. A couple things you can check:
- Did you create a tenant from these steps: https://docs.microsoft.com/azure/virtual-desktop/tenant-setup-azure-active-directory ?
- Can you login to Windows Virtual Desktop with the username you provided in the last blade of Azure Marketplace offering, and does it require MFA to login? If that account does require MFA, it will not work when running as part of the script because there's no UI to prompt you for that second factor.
- After logging in with that user account, can you run "Get-RdsTenant" to make sure that same Windows Virtual Desktop tenant shows appears?
- Double/triple check that you entered the right values in the Azure Marketplace offering. For the most part, the Windows Virtual Desktop tenant group name should remain as "Default Tenant Group" and make sure to enter the Windows Virtual Desktop tenant name you created earlier, not a new one.
Thanks for testing and your patience here. We're compiling this same information and generating a Troubleshooting guide that hopefully should help you get unblocked yourself!
I have tried so many different ways and nothing works. I noticed you said if the user account have MFA the script wont work. Is this the same case for an ad domain-join error when deploying a hostpool?
Christian_Montoya I checked those steps again and I'm still not sure what I'm missing. I reproduced the error outside of the template in PowerShell by doing the following:
1. Created a new user account in Azure AD and put it in the TenantCreator role for Windows Virtual Desktop.
2. Opened PowerShell as an admin, and added / logged into the account above using Add-RdsAccount
3. Attempted to call Remove-RdsTenant as part of clean up to try and see if I could execute the template from scratch
I was able to work around this issue. Here is what I noted:
1. Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account. I always get the "user is not authorized to query the management service" error no matter what I do.
2. Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal. After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal. Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal.
- I'm getting the exact same thing. Any news or updates on this?
- Could this be my problem? The instructions point to infrastructure requirements which says it needs the following things.....
-An Azure Active Directory
-A Windows Server Active Directory in sync with Azure Active Directory.
-An Azure subscription, containing a virtual network that either contains or is connected to the Windows Server Active Directory.
I don't have a local ad synced to azure ad. I only have azure ad.
The instructions seems to refer that you need all of it.
- I have the same problem. Does anyone have some ideas?
