Forum Discussion
Error: User is not authorized to query the management service
When following the directions below, I always run into an error related to querying the management service. https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketpl...
Christian_Montoya
Microsoft
MicrosoftChristopher Anderson , Patrick F , Seth Zwicker : The reason you see the "User is not authorized to query the management service" from the DSC extension is because the user who you provided in the last blade (where you also defined your Windows Virtual Desktop tenant name) does not have permissions in the tenant that you specified. A couple things you can check:
- Did you create a tenant from these steps: https://docs.microsoft.com/azure/virtual-desktop/tenant-setup-azure-active-directory ?
- Can you login to Windows Virtual Desktop with the username you provided in the last blade of Azure Marketplace offering, and does it require MFA to login? If that account does require MFA, it will not work when running as part of the script because there's no UI to prompt you for that second factor.
- After logging in with that user account, can you run "Get-RdsTenant" to make sure that same Windows Virtual Desktop tenant shows appears?
- Double/triple check that you entered the right values in the Azure Marketplace offering. For the most part, the Windows Virtual Desktop tenant group name should remain as "Default Tenant Group" and make sure to enter the Windows Virtual Desktop tenant name you created earlier, not a new one.
Thanks for testing and your patience here. We're compiling this same information and generating a Troubleshooting guide that hopefully should help you get unblocked yourself!
Christian_Montoya I checked those steps again and I'm still not sure what I'm missing. I reproduced the error outside of the template in PowerShell by doing the following:
1. Created a new user account in Azure AD and put it in the TenantCreator role for Windows Virtual Desktop.
2. Opened PowerShell as an admin, and added / logged into the account above using Add-RdsAccount
3. Attempted to call Remove-RdsTenant as part of clean up to try and see if I could execute the template from scratch
I was able to work around this issue. Here is what I noted:
1. Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account. I always get the "user is not authorized to query the management service" error no matter what I do.
2. Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal. After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal. Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal.
- Christian_Montoya
Christopher Anderson : Yes, I definitely support the last message, that one of our goals is to have all of this functionality straight from the Azure portal, without having to hop around everywhere.
Thank you for all of the feedback, and keep it coming!
- Maybe it helps someone getting WVD up and running: https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/ Using the service principal with the correct permissions worked for me.
- Christian_Montoya
Christopher Anderson : Just to clarify, the "tenant group" name should always be "Default Tenant Group". Only in very few circumstances does this change. But yes, you always need to provide the same "tenant" name everywhere you go.
Christian_Montoya I am having the same issue. I am using the default name for the group. I am using admin account with global enterprise right.
