As many of your employees or customers continue to embrace virtual desktop environments, Azure Virtual Desktop (short AVD) remains a crucial solution for delivering secure and scalable virtual desktops and applications. One key aspect of optimizing your AVD deployment is understanding and leveraging Azure Role-Based Access Control (short RBAC) roles. In this blog post, we’ll explore the built-in Azure RBAC roles tailored for AVD, providing insights on how they work.
Understanding Azure RBAC
Azure RBAC is a system designed to provide fine-grained access management for Azure resources. It enables you to assign roles to users, groups, and services, delivering the permissions necessary to perform specific actions. For a deeper understanding of Azure RBAC, refer to the official Microsoft learn article on What is Azure RBAC.
Core RBAC Built-in Roles
Azure’s “standard” roles—Owner, Contributor, and Reader—serve as the baseline for resource management:
- Owner: Grants full access to all resources, including the ability to assign roles to others.
- Contributor: Allows management of resources, but not access to user roles or permissions.
- Reader: Permits viewing of resources without making changes.
However, with Azure Virtual Desktop you require more specialized roles to manage distinct elements like host pools, application groups, and workspaces. These roles align with the principle of least privilege, providing granular control over administrative tasks.
Azure Virtual Desktop-Specific RBAC Roles
In the following sections, we’ll guide you through the AVD-specific roles.
General AVD RBAC Roles
The Desktop Virtualization Contributor role (ID: 082f0a83-3be5-4ba1-904c-961cca79b387) enables management of AVD resources except for user/group assignments (on application groups). To assign users to resources, pair this role with the User Access Administrator. It does not grant access to compute resources (e. g. Virtual Machine User / Administrator Login).
The Desktop Virtualization Reader role (ID: 49a72310-ab8d-41df-bbb0-79b649203868) allows viewing all AVD resources without making modifications.
The Desktop Virtualization User role (ID: 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63) enables users to use applications on session hosts from application groups as non-administrative users. This RBAC role will automatically be assigned to an application group, if you add a user/group to an application group.
Service-Specific AVD RBAC Roles
Host Pool Roles
The Desktop Virtualization Host Pool Contributor role (ID: e307426c-f9b6-4e81-87de-d99efb3c32bc) enables management of all aspects of a host pool. This includes actions such as session host management, connection settings, and diagnostic settings.
The Desktop Virtualization Host Pool Reader role (ID: ceadfde2-b300-400a-ab7b-6143895aa822) allows viewing all aspects of a host pool without making changes. Ideal for monitoring and diagnostic purposes.
The Desktop Virtualization Session Host Operator role (ID: 2ad6aaab-ead9-4eaa-8ac5-da422f562408) enables the management of session hosts, including the ability to remove session hosts and change drain mode without adding new hosts.
Application Group Roles
The Desktop Virtualization Application Group Contributor role (ID: 86240b0e-9422-4c43-887b-b61143f32ba8) enables management of all aspects of application groups, except for user/group assignments.
The Desktop Virtualization Application Group Reader role (ID: aebf23d0-b568-4e86-b8f9-fe83a2c6ab55) allows viewing all aspects of application groups without making changes.
Workspace Roles
The Desktop Virtualization Workspace Contributor role (ID: 21efdde3-836f-432b-bf3d-3e8e734d4b2b) enables comprehensive management of workspaces.
The Desktop Virtualization Workspace Reader role (ID: 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d) allows viewing all aspects of workspaces without making changes.
Session Management Roles
The Desktop Virtualization User Session Operator role (ID: ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6) enables management of user sessions including disconnecting and logging off users.
Power Management Roles
To initiate virtual machines, the Desktop Virtualization Power On Contributor role (ID: 489581de-a3bd-480d-9518-53dea7416b33) is required.
Starting and stopping virtual machines are permitted by the Desktop Virtualization Power On Off Contributor role (ID: 40c5ff49-9181-41f8-ae61-143b0e78555e).
Management of tasks such as creating, deleting, updating, and performing power actions on virtual machines is enabled through the Desktop Virtualization Virtual Machine Contributor role (ID: a959dbd1-f747-45e3-8ba6-dd80f235f97c).
Session Host Roles
The Virtual Machine User Login role (ID: fb879df8-f326-4884-b1cf-06f3ad86be52) enables users to log into virtual machines.
The Virtual Machine Administrator Login role (ID: 1c0163c0-47e6-4577-8991-ea5c82e286e4) allows administrators to log into virtual machines with elevated privileges.
Storage Account Roles
Storage accounts play a significant role in any Azure deployment, including AVD. Managing storage accounts effectively to store user profiles, application data, and other necessary files ensures data security and operational efficiency.
For more detailed guidance which are the RBAC roles you need, view the documentation on How to Configure FSLogix with Entra ID Cloud-Only Identities in Azure Virtual Desktop.
Conclusion
Deploying AVD enables organizations to deliver remote desktop experiences and streamline application management. With the array of built-in Azure RBAC roles, administrators can achieve fine-grained control to their AVD environment. Leveraging these roles aligns with best practices for least-privilege access, enhancing security and operational effectiveness.
For further details, visit the Built-in Azure RBAC roles Azure Virtual Desktop | Microsoft Learn documentation.