Forum Discussion
Error: User is not authorized to query the management service
When following the directions below, I always run into an error related to querying the management service. https://docs.microsoft.com/en-us/azure/virtual-desktop/create-host-pools-azure-marketpl...
Christian_Montoya I checked those steps again and I'm still not sure what I'm missing. I reproduced the error outside of the template in PowerShell by doing the following:
1. Created a new user account in Azure AD and put it in the TenantCreator role for Windows Virtual Desktop.
2. Opened PowerShell as an admin, and added / logged into the account above using Add-RdsAccount
3. Attempted to call Remove-RdsTenant as part of clean up to try and see if I could execute the template from scratch
I was able to work around this issue. Here is what I noted:
1. Regardless of account, you don't seem to be able to delete existing tenant groups once their created using the Remove-RdsTenant account. I always get the "user is not authorized to query the management service" error no matter what I do.
2. Also, one of the steps I may have missed the first time is that the tenant group name you create via PowerShell has to match to what you create via the Azure portal. After creating a new tenant group in Powershell separate from the default one, it worked when I referenced the new tenant group name in the Azure portal. Hopefully at some point, Microsoft will have an end-to-end solution for creating the tenant, tenant group name, and host pool all within the portal.
- Christian_Montoya
Microsoft
Christopher Anderson : Yes, I definitely support the last message, that one of our goals is to have all of this functionality straight from the Azure portal, without having to hop around everywhere.
Thank you for all of the feedback, and keep it coming!
- Maybe it helps someone getting WVD up and running: https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/ Using the service principal with the correct permissions worked for me.
Erjen Rijnders, firstly thank you for pulling together that post and the associated PowerShell. It certainly makes the first steps for setting up WVD easier. However, my efforts in this are still failing on that last step in the Azure deployment /dscextension with the error:
" PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service."
I'm wondering exactly what the step is doing? I've remoted on to the VM which gets created and tired trawling through the event logs but there are no more details. I have also tried using just a UPN rather than your suggestion of service principle. It is a real head scratcher!
I'm going to go off and create a brand new AAD tenant and AAD DS resource just to rule out anything related to our existing corporate AAD tenant. Wish me luck :)
- Christian_Montoya
Christopher Anderson : Just to clarify, the "tenant group" name should always be "Default Tenant Group". Only in very few circumstances does this change. But yes, you always need to provide the same "tenant" name everywhere you go.
Christian_Montoya I am having the same issue. I am using the default name for the group. I am using admin account with global enterprise right.
- Christian_Montoya
Masoud515 : Does that user have a valid role assignment? Can you run Get-RdsRoleAssignment ?
