As we know Service Provider Foundation is the API of VMM. SPF is a web service that can execute tasks against VMM server and WAP just connects to SPF to communicate with VMM so we have the following communication path VMM<->SPF<->WAP. SPF and WAP both have service accounts they use but when a Tenant initiate action trough a WAP portal that action is forwarded to SPF and SPF execute the action in the name of the Tenant by impersonating the account. I will not go into details but this is basically done trough the creation of Tenant Administrator Roles and adding claim-based identities from WAP as members in the role. In result when VM is created trough WAP Portal by using a Tenant Account the Owner and the User Role of that VM in VMM will be the claim-based identity and the Tenant Administrator role that are associated with this Tenant Account.
By having this mind let’s imagine that we have a VM for which we want to change the Owner and the Tenant Role. May be this VM was associated with one Tenant in WAP and we want to move it to another one in WAP or we’ve just created a VM manually in VMM and we want to associate that VM with Tennant in WAP.
Where is the issue?
The issue is if we use the VMM cmdlet like this one to change the owner:
Get-SCVirtualMachine –Name VM1 | Set-SCVirtualMachine –Owner email@example.com
We will get similar error:
Set-SCVirtualMachine: The specified owner is not a valid Active Directory Domain Services account.
This is because there is no user firstname.lastname@example.org in the AD where VMM is joined and the cmdlet checks that before adding it as owner of the machine. The GUI will also not allow you to assign other than AD user.
This seems right but when VMs are created trough WAP their owners are identities that are in WAP and not in AD and such owners are assigned to VMs from WAP without issues.
So how WAP and SPF do it?
Actually SPF does it and WAP just tells SPF to do it. When SPF talks to VMM, SPF usually uses Properties like -ForOnBehalfof -OnBehalfOfUser and –OnBehalfOfUserRole. With these properties SPF is able to execute actions on behalf users and roles.
So let’s take the example with the owner above and see hot to change it with the power of PowerShell and these properties.
First we need to start VMM PowerShell and connect to the VMM server like this:
Get-SCVMMServer –ComputerName vmmserver.contoso.com – ForOnBehalfOf
Than as when you want to change the Owner you will probably also want to change the User Role of that VM you need to get the new User Role and put in variable like this:
$role = Get-SCUserRole –Name Tenant256
After that trough regular SCVMM cmdlet you can assign new User Role to the VM in question:
Get-SCVirtualMachine –Name VM1 | Set-SCVirtualMachine –UserRole $role
Now that you have the new User Role assigned you will want to assign Owner to that VM on behalf of that User Role:
Get-SCVirtualMachine –Name VM1 | Set-SCVirtualMachine –Owner email@example.com –OnBehalfOfUserRole $role –OnBehalfOfUser $role
And VIOLAA the new owner is assigned successfully:
If you using WAP and you are moving virtual machine from one Tenant to another Tenant you may also want to check this link.
This was a little deep dive into the world of VMM, SPF and WAP and I hope will make you understand these products better.