What are the RBAC roles required for access to Azure Virtual Desktop (AVD)?

In today’s post, I will discuss how Azure Virtual Desktop utilizes Azure role-based access controls (RBAC) to assign roles to both users and administrators, granting specific permissions for designated tasks.

Picture Credit: Pexel.com

The standard built-in roles in Azure include Owner, Contributor, and Reader. However, Azure Virtual Desktop introduces additional roles to segregate management responsibilities for host pools, app groups, and workspaces.

These roles adhere to Azure’s standard roles and follow the least-privilege methodology. Although Azure Virtual Desktop lacks a specific Owner role, a standard Owner role can be employed for the service objects.

The following are the roles specific to Azure Virtual Desktop:

1. Desktop Virtualization Contributor role: Enables comprehensive management of the deployment, excluding access to compute resources. Additionally, the User Access Administrator role is required to publish app groups to users or user groups.

2. Desktop Virtualization Reader role: Permits viewing all aspects of the deployment without the ability to make changes.

3. Host Pool Contributor role: Empowers management of all aspects of host pools, including resource access. To create the virtual machines, an additional contributor role, Virtual Machine Contributor, is necessary. Creating a host pool using the portal requires AppGroup and Workspace contributor roles or the Desktop Virtualization Contributor role.

4. Host Pool Reader role: Grants the ability to view all aspects of the host pool without the ability to make changes.

5. Application Group Contributor role: Allows management of all aspects of app groups. To publish app groups to users or user groups, the User Access Administrator role is required.

6. Application Group Reader role: Provides the capability to view all elements within the app group without the ability to make changes.

7. Workspace Contributor role: Facilitates management of all aspects of workspaces. Additionally, to access information on applications added to app groups, the Application Group Reader role must be assigned.

8. Workspace Reader role: Permits viewing all aspects of the workspace without the ability to make changes.

9. User Session Operator role: Enables sending messages, disconnecting sessions, and utilizing the “logoff” function to sign sessions out of the session host. However, it does not allow performing session host management tasks such as removing session hosts or changing drain mode. It is recommended to assign this role to specific host pools. Assigning this permission at the resource group level grants read permission on all host pools under that resource group.

10. Session Host Contributor role: Allows viewing and removing session hosts, and changing drain mode. Adding session hosts through the Azure portal is restricted due to the lack of write permission for host pool objects. However, if the registration token is valid, this role permits adding session hosts to the host pool outside the Azure portal, provided the admin possesses compute permissions through the Virtual Machine Contributor role.

That’s all for today. I wish you a great day ahead.