User is not authorized to query the management service

[kaareschmidtalso]

I am trying to join the machines to an ADDS domain.

I have entered the global admin everywhere a user ID is required - for testing purposes, of course.

Any idea what and where this management service is and why the global admin cannot query it?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 970202b7-165f-18df-e928-c47c45a18755
• Version Independent ID: d5393b62-4211-72f5-fc7a-363f68f6d8a2
• Content: Create a host pool with Azure Marketplace (preview) - Azure
• Content Source: articles/virtual-desktop/create-host-pools-azure-marketplace.md
• Service: virtual-desktop
• GitHub Login: @Heidilohr
• Microsoft Alias: helohr

[shashishailaj]

@kaareschmidtalso Thank you for your feedback . We will investigate and update further .

[tiktb8]

Did you grant the proper role to the global admin on the app registration?

[kaareschmidtalso]

I followed the instructions here: https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory I might have missed it - where should I check?

[tannersatch]

I had this issue too, make sure you follow all the steps to assign the TenantCreator application role to a user in your Azure Active Directory tenant on the previous tutorial. I got to the Azure Active Directory Portal, went to the WVM app, selected "Users and Groups" and already saw my user there, so I moved on. Turns out, you have to add your user again anyway, and assign the TenantCreator role.

[carloreggiani]

Same error also for me....

New-RdsTenant -Name <TenantName> -AadTenantId <DirectoryID> -AzureSubscriptionId <SubscriptionID>

Reponse: New-RdsTenant : User is not authorized to query the management service

[Easton22]

Same issue and i set the Tenant Creator role.

[tannersatch]

Did you run

Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com”

again in powershell? After I added the TenantCreator role to my user, I had to run that again before New-RdsTenant would work.

[Easton22]

Yes, I even opened a new powershell window and I am getting the same error still

MATT KELLEY, MCITP | OHM Advisors®

SYSTEMS ADMINISTRATOR

D (734) 466-4482 | C (810) 602-0685 | O (734) 522-6711

matt.kelley@ohm-advisors.com | OHM-Advisors.comhttp://www.ohm-advisors.com/

From: Tanner Satchwell notifications@github.com Sent: Friday, March 22, 2019 1:40 PM To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com Cc: Matt Kelley Matt.Kelley@ohm-advisors.com; Comment comment@noreply.github.com Subject: Re: [MicrosoftDocs/azure-docs] User is not authorized to query the management service (#27791)

Did you run

Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com”

again in powershell? After I added the TenantCreator role to my user, I had to run that again before New-RdsTenant would work.

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_MicrosoftDocs_azure-2Ddocs_issues_27791-23issuecomment-2D475713871&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=f5hsmVkuM5ntGDY2rSQQflKQsmXJujDWFahr-YFXTU8&m=ZIquOEZ_xSDWKW7YYUBzVnSgC9WkFH3-raRYzPyBDKU&s=aYBsl_qmtAgGPDLtS_fM_GWj-yWDgnNibEQLlsf5rXQ&e=, or mute the threadhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_Auk3XWtvxE0KXpQXXzpxgyOfBVp57DR9ks5vZRVvgaJpZM4cDWN5&d=DwMFaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=f5hsmVkuM5ntGDY2rSQQflKQsmXJujDWFahr-YFXTU8&m=ZIquOEZ_xSDWKW7YYUBzVnSgC9WkFH3-raRYzPyBDKU&s=zdc1XhpO8VOxCNQwK3yOoHt3xZrmsUa-Xex5jE_VUQ4&e=.

[Easton22]

Has anyone figured out how to make this work yet? Still not able to run the command due to user not authorized. Thanks

[rofldoodle]

@Easton22 Make sure the Azure admin specified in the PS script doesn't have MFA enabled on it. You should then be able to move onto the next error message which is where I'm stuck on.

[Easton22]

@rofldoodle i checked on 2fa and the account being used does not have it. Any other ideas?

[sebastianmaas]

@Easton22 what did you provide during the Windows Virtual Desktop deployment in the Azure Portal as "Tenant Group Name" and "Tenant Name". You have to use the values you used during the preparation with PowerShell. You can validate it by the following commands: 1) Add-RdsAccount -DeploymentUrl “https://rdbroker.wvd.microsoft.com 2) login with your global admin 3) Get-RdsTenant

[rswainston]

Having same issue here. Host Pool Deployment succeeded successfully in azure portal. Trying to add a user via the power shell command Add-RdsAppGroupUser -tenantname tenant -HostPoolName hostpool "Desktop Application Group" -UserPrincipalname user@user.com and I get the error user is not authorised to query the management service

[Easton22]

For this command New-RdsTenant -Name -AadTenantId -AzureSubscriptionId . should i be using my current Azure tenantname or be creating a new one? I used my current tenant name. thanks

[sebastianmaas]

@Easton22 the tenant name you need to provide is the tenant name of the WVD tenant. So it can be another one.

[shashishailaj]

@Heidilohr Could you please assist with this issue?

[MPBetts]

I get this also. user is global admin, the app has tenantcreator assigned to the user, get-rdsappgroup returns successful data showing we can connect but get-rdsdiagnosticactivities returns user not authorized to query the management service. Any help appreciated.

[colinrubbert]

I have the same issue. Global admin, tenant creator, and rds owner and still get the "user not authorized to query the management service". It would be nice if we had a bit more information on this error, is it a matter of adding an additional permission somewhere to the vm that was created or role to the user we're using? Is it a limitation with how things are configured in the template at creation? Is DSC Extension just deployed improperly to the VM?

There's so little information to go off of with the error it's hard to hunt down the problem. Sure it's an authorization issue but if you have a global admin/tenantcreator/rds owner roles then there shouldn't be any issue with permissions. So does that mean it's a communication issue between two assets?

M365/O365 version: E1 non-profit sponsorship

[almalos]

You're getting the "User is not authorized to query the management service." because you did not run again the below cmdlet, in order to sign in to the Windows Virtual Desktop environment: Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

If I understand correctly, you need to run this cmdlet each time you launch PowerShell, before running Get-RdsTenant.

[MPBetts]

You're getting the "User is not authorized to query the management service." because you did not run again the below cmdlet, in order to sign in to the Windows Virtual Desktop environment: Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

If I understand correctly, you need to run this cmdlet each time you launch PowerShell, before running Get-RdsTenant.

I had been running that, same result. here's the output currently:

PS C:\Windows\system32> Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

DeploymentUrl TenantGroupName UserName

---

https://rdbroker.wvd.microsoft.com Default Tenant Group xxxx@xxx.com

PS C:\Windows\system32> Get-RdsTenant -TenantName xxxxxxxxx

TenantGroupName : Default Tenant Group AadTenantId : xxxxxxxxxxxxxxxxxxxxxx TenantName : xxxxxxxxxxx Description : FriendlyName : SsoAdfsAuthority : SsoClientId : SsoClientSecret : AzureSubscriptionId : xxxxxxxxxxxxxxxxxxxxxxxxxx LogAnalyticsWorkspaceId : LogAnalyticsPrimaryKey :

PS C:\Windows\system32> Get-RdsDiagnosticActivities Get-RdsDiagnosticActivities : User is not authorized to query the management service. ActivityId: xxxxxxxxxxxxxxxxxxxxxxxxxxx Powershell commands to diagnose the failure: Get-RdsDiagnosticActivities -ActivityId xxxxxxxxxxxxxxxxxxxxxxxx At line:1 char:1

• Get-RdsDiagnosticActivities

• 
  + CategoryInfo          : FromStdErr: (Microsoft.RDInf...osticActivities:GetRdsDiagnosticActivities) [Get-RdsDiagn
  osticActivities], RdsPowerShellException
  + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Diagnostics.GetRdsDiagnosticActivities

[colinrubbert]

@almalos That does not resolve the issue. Scenario is same as @MPBetts and output is the same.

PS C:\WINDOWS\system32> Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"

DeploymentUrl                      TenantGroupName      UserName                     
-------------                      ---------------      --------                     
https://rdbroker.wvd.microsoft.com Default Tenant Group <my tenant creator/global admin @ my domain.com>

PS C:\WINDOWS\system32> Get-RdsTenant

TenantGroupName         : Default Tenant Group
AadTenantId             : <my aad tenant id>
TenantName              : <my tenant name>
Description             : 
FriendlyName            : 
SsoAdfsAuthority        : 
SsoClientId             : 
SsoClientSecret         : 
AzureSubscriptionId     : <my Azure subscription id>
LogAnalyticsWorkspaceId : 
LogAnalyticsPrimaryKey  : 

PS C:\WINDOWS\system32> Get-RdsDiagnosticActivities
Get-RdsDiagnosticActivities : User is not authorized to query the management service.
ActivityId: <my activity id>
Powershell commands to diagnose the failure:
Get-RdsDiagnosticActivities -ActivityId <my activity id>
At line:1 char:1
+ Get-RdsDiagnosticActivities
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : FromStdErr: (Microsoft.RDInf...osticActivities:GetRdsDiagnosticAc 
   tivities) [Get-RdsDiagnosticActivities], RdsPowerShellException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Diagnostics.Get 
   RdsDiagnosticActivities

My user has global admin, tenant creator, and rds owner as permissions so there's something askew.

[colinrubbert]

So when I specify the tenant name then it present results so I'm not entirely sure what it's trying to pull when you just run Get-RdsDiagnosticActivities.

Run this command and it should kick out results for you (it worked for me);

Get-RdsDiagnosticActivities -TenantName <your tenant name>

I'm not sure that this solves all the issues though but I got the same error when I tried to run Export-RdsRegistrationInfo yesterday and now it's not giving me that error and I haven't done anything different so ¯_(ツ)_/¯

[almalos]

Indeed, I face the same issue as well, with all permissions granted:

PS H:> Get-RdsTenant xxxxxxxx.onmicrosoft.com TenantGroupName : Default Tenant Group AadTenantId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx TenantName : xxxxxxxx.onmicrosoft.com Description : FriendlyName : SsoAdfsAuthority : SsoClientId : SsoClientSecret : AzureSubscriptionId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx LogAnalyticsWorkspaceId : LogAnalyticsPrimaryKey :

PS H:> Get-RdsDiagnosticActivities Get-RdsDiagnosticActivities : User is not authorized to query the management service. ActivityId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx Powershell commands to diagnose the failure: Get-RdsDiagnosticActivities -ActivityId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx At line:1 char:1

• Get-RdsDiagnosticActivities

• 
  + CategoryInfo          : FromStdErr: (Microsoft.RDInf...osticActivities:GetRdsDiagnosticActivities) [Get-RdsDiagn
  osticActivities], RdsPowerShellException
  + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Diagnostics.GetRdsDiagnosticActivities

[almalos]

@colinrubbert, yes, with mentioning the domain name works for me as well: Get-RdsDiagnosticActivities -Tenant xxxxxxxx.onmicrosoft.com

[jasonkatz424]

I have this same problem. Global admin, TenantCreator role, and have gone through all deployment steps.

[colinrubbert]

@jasonkatz424 see my previous comment, see if that works https://github.com/MicrosoftDocs/azure-docs/issues/27791#issuecomment-477215147

Also, check your resource group and make sure everything was deployed properly and no failure, then double check that your WVD Host Pool is in the same region and vnet as your Azure Active Directory Domain Services is located, it makes a massive difference.

[jasonkatz424]

The DSC extension did have an error upon deployment. Maybe that's it? I tried your suggestion above, but to no avail.

[colinrubbert]

@jasonkatz424 try to restart the VM, for whatever reason when I did that it then had a successful deployment.

[Know1]

Yesterday I had the same error Get-RdsTenant, Get-RdsDiagnosticActivities both failing with "User is not Authorized" messages. Logged it with support and they redirected me here. Today I go try the same command to post some more info here, it worked perfectly. So no idea what happened between yesterday and today (note this first was tried/setup a week ago).

My suggestion for a fix if you have the same problem? Bug support they will wave the magic wand and it will just work after that.

[normaliok]

The same problem for me:

Get-RdsDiagnosticActivities : User is not authorized to query the management service. ActivityId: 54d31bc3-02d0-4551-8ef5-b9f304fdedb2 Powershell commands to diagnose the failure: Get-RdsDiagnosticActivities -ActivityId 54d31bc3-02d0-4551-8ef5-b9f304fdedb2

[joelmusheno]

Just to add another possible solutions. Initially, when I was requesting a list of applications installed on my host group, I was getting Get-RdsStartMenuApp User is not authorized to query the management service.

The step that I had missed was to use my admin user (azadmin@...) to walk through this doc: https://docs.microsoft.com/en-us/azure/virtual-desktop/create-service-principal-role-powershell

I can't seem to find a place in Azure AD to verify (via portal.azure.com) that the "RDS Owner" role is associated, but now that I've run all the powershell from the Create Service Principal Role, I'm able to successfully invoke Get-RdsStartMenuApp (for the app group name I'm using the -AppGroupName 'Desktop Application Group').

[labewing]

Following this walkthrough resulted in not having the error. I believe there's some dependencies on using "Default Tenant Group" as well as a service principal being configured.

https://erjenrijnders.nl/2019/04/04/how-to-deploy-windows-virtual-desktop-in-azure/

This is somewhat conjecture as it's still unclear why a regular user with correct permissions still isn't working.

[delradie]

@Easton22 the tenant name you need to provide is the tenant name of the WVD tenant. So it can be another one.

In case anyone else makes the same silly mistake I did, take note of this - I'm too used to working with AAD. I'd put the AAD tenant in as the tenantname, not the name of the WVD tenant. Corrected it and it worked

[Jorrit05]

I was having the same issue: "User is not authorized to query the management service". What worked for me was go to: Active Directory -> Enterprise Application -> Windows Virtual Desktop -> Users and Groups

In the role assigned column all my users where listed as "TenantCreator" but when actually clicking on the user that role was not assigned. So I assigned the role again and it worked.

Per change does anyone know how to assign a user to a second tenant?

[ericlimlk]

I faced the same issue and what i found out was the tenant name must not have any special characters like (). Renamed the tenant name, removing the (), solved my problem. Hope this helps you as well.

[mkannan22]

I am receiving the same error and tried all previous suggested solutions in this thread. Anyone have any other ideas?

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" DeploymentUrl TenantGroupName UserName

---

https://rdbroker.wvd.microsoft.com Default Tenant Group vdiadmin@example.com

Get-RdsTenant does not return anything

Remove-RdsTenant Remove-RdsTenant : User is not authorized to query the management service

Get-RdsDiagnosticActivities -TenantName example.com Get-RdsDiagnosticActivities : User is not authorized to query the management service.

New-RdsTenant -Name example.com -AadTenantId 111-111-111-111 -AzureSubscriptionId 111-111-111-111 New-RdsTenant : TenantName: 'example.com' already exists.

Can't seem to remove tenantname. User has global admin tenant creator and all possible permissions I can think of. There is no 2-factor enabled. Using Azure Active Directory Domain Services. Got it to work once previously, but never again.

Completely tore down Azure AD DS and removed all associated resources 6 times and tried again without success. Each time the VM has trouble joining the domain as I can't get past the New-RdsTenant command anymore. Error was "VM has reported a failure when processing extension ‘joindomain’"

Tore down AADDS again and tried with a different name such as ad.exmaple.com, added this to the custom domains to ensure it was verified, added a user in Azure AD with this account, gave all permissions, still having domain join issues.

[jilguz]

Hello, I have the same issue. Following tutoriel from Microsoft, I can't create a Tenant : New-RdsTenant : User is not authorized to query the management service.

When I try to create a HostPool, the deployment failed, and I have the same error in the log at the last step of the process (Ressource : dscextension) :

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"Conflict","message":"{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n \"code\": \"ResourceDeploymentFailure\",\r\n \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"VMExtensionProvisioningError\",\r\n \"message\": \"VM has reported a failure when processing extension 'dscextension'. Error message: \\"DSC Configuration 'FirstSessionHost' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.\nActivityId: 38a38cc1-15cb-4164-aed6-1e3412febfd2\nPowershell commands to diagnose the failure:\nGet-RdsDiagnosticActivities -ActivityId 38a38cc1-15cb-4164-aed6-1e3412febfd2\n The SendConfigurationApply function did not succeed.\\".\"\r\n }\r\n ]\r\n }\r\n}"}]}

with powershell command, trying to request the Diagnostic Activities : Get-RdsDiagnosticActivities -ActivityId 38a38cc1-15cb-4164-aed6-1e3412febfd2 Get-RdsDiagnosticActivities : User is not authorized to query the management service.

The user is declared as a tenantcreator under the Windows Virtual Desktop application and is a general Administrator for my subscription..

Please Help ! Thanx a lot!

[sonydogg]

I had the same problem until I realized I was following the tutorial documentation exactly. In the service principle creation and role assignment step, the guide gives you a command to create the role assignment for the previously created service principle. The command reuses a variable $mytenantname, which in the previous command was the AzureAD tenant. But in the content of the new-rdsrolleassignment command, it wants the Windows Virtual Desktops tenant. So i typed the command manually, imputing the correct tenant and presto, worked.

[mkannan22]

Unfortunately this was tested as well without success. Hoping for some kind of update on Microsoft's end at this point.

[medavamshi]

This works for service principal. New-RdsTenant -Name medawvd -AadTenantId XXXXXXXXXXXXXXXXXX -AzureSubscriptionId XXXXXXXXXXXXX create a service principal Install-Module AzureAD Import-Module AzureAD $myTenantGroupName = "Default Tenant Group" $myTenantName = "medawvd" $hostpoolname = "medawvdhostpool"

create the service principal:

$aadContext = Connect-AzureAD $svcPrincipal = New-AzureADApplication -AvailableToOtherTenants $true -DisplayName "Windows Virtual Desktop Svc Principal" $svcPrincipalCreds = New-AzureADApplicationPasswordCredential -ObjectId $svcPrincipal.ObjectId Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId $svcPrincipal.AppId -TenantName $myTenantName

[medavamshi]

I meant role assignment for service principal above.

[akdharia]

Cant get either service principal or the RdsTenant to be created.. Same error described above. Any help will be appreciated. New-RdsRoleAssignment : User is not authorized to query the management service. ActivityId: e5a87368-da49-418e-8d3d-b03c80215b86 Powershell commands to diagnose the failure: Get-RdsDiagnosticActivities -ActivityId e5a87368-da49-418e-8d3d-b03c80215b86 At line:1 char:1

• New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -ApplicationId ...

• 
  + CategoryInfo          : FromStdErr: (Microsoft.RDInf...sRoleAssignment:NewRdsRoleAssignment) [New-RdsRoleAssignment], RdsPowerShellException
  + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.RDInfra.RDPowershell.Authorization.NewRdsRoleAssignment

[TheAutisticTechie]

I'm getting the same problems. Set as TenantCreator and Default Access role. Been following this guide: https://docs.microsoft.com/en-us/azure/virtual-desktop/create-service-principal-role-powershell

PS C:\Users\Murphy> Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" DeploymentUrl TenantGroupName UserName ------------- --------------- -------- https://rdbroker.wvd.microsoft.com Default Tenant Group danny@*****.co.uk PS C:\Users\Murphy> Get-RdsTenant Get-RdsTenant : WVD_50002: danny@*****.co.uk not found. ActivityId: d6631322-68c4-4b94-aaad-f4126c2a405b Powershell commands to diagnose the failure: Get-RdsDiagnosticActivities -ActivityId d6631322-68c4-4b94-aaad-f4126c2a405b At line:1 char:1 + Get-RdsTenant + ~~~~~~~~~~~~~ + CategoryInfo : FromStdErr: (Microsoft.RDInf...nt.GetRdsTenant:GetRdsTenant) [Get-RdsTenant], RdsPowerShellException + FullyQualifiedErrorId : UserNotFound,Microsoft.RDInfra.RDPowershell.Tenant.GetRdsTenant

[Heidilohr]

Hi, everyone. If you get the "User is not authorized to query the management service" error, I highly recommend checking out our PowerShell troubleshooting documentation or our setup troubleshooting documentation.

[Cyclops-Electronics]

Sounds obvious, but have you checked the tenant name and the host pool name are correct in the PowerShell command? I had the issue and it led me here, I then realised I had typed both incorrectly. It gave me the exact same error - no permissions - really it should have said the tenant name and host pool name did not exist.

[Digiroka]

In my case, MFA has caused this issue. I have an account with RDS Owner (on the RD tenant) and Tenant Creator (on the Enterprise App in AAD) roles assigned, yet I still received the error: "User is not authorized to query the management service" when trying to run Get-RdsDiagnosticActivities. Running with an identical account without MFA applied resolved the issue.

[vtvel]

Even i had the same issue but as soon as i have added the user to my newly created tenant i could able to get the tenant details

New-RdsRoleAssignment -TenantName 'TenantName' -SignInName 'xxxxx@domain.com' -RoleDefinitionName "RDS Owner"

Get-RdsTenant -Name 'TenantName'

[kariem2k]

It worked with me after creating a user with the same @domain.com of the active directory (I was using a user with a different @). and gave it a Tenant Creator.

[channyein87]

I had same error "User is not authorized to query the management service". I fixed by adding my username as an Owner Role of the Subscription.

You have to make sure that the user account you are using at Add-RdsAccount is a Owner or Contributor role to the Subscription ID that you going to use in New-RdsTenant command.

[jvaught48]

Up until yesterday things worked fine for me, then all of a sudden I am getting this "User is not authorized to query the management service" error. I have tried every step in this thread to no avail. My user is Global admin with MFA disabled, RDS Owner, subscription owner, Tenant Creator. I am running Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com" first and signing in successfully. Get-RdsTenant returns nothing and then Get-RdsDiagnosticActivities -TenantName returns the unauthorized access error.

Any new ideas?