Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. You can assign roles for your Cloud PCs by using the Microsoft Intune admin center.
When a user with the Subscription Owner or User Access Administrator role creates, edits, or retries an ANC, Windows 365 transparently assigns the required built-in roles the following resources (if they're not already assigned):
- Azure Subscription
- Resource group
- Virtual network associated with the ANC
If you only have the Subscription Reader role, these assignments aren't automatic. Instead, you must manually configure the required built-in roles to the Windows First Party App in Azure.
For more information, see Role-based access control (RBAC) with Microsoft Intune.
Windows 365 Administrator role
Windows 365 supports the Windows 365 Administrator role available for role assignment through the Microsoft Admin Center and Microsoft Entra ID. With this role, you can manage Windows 365 Cloud PCs for both Enterprise and Business editions. The Windows 365 Administrator role can grant more scoped permissions than other Microsoft Entra roles like Global Administrator. For more information, see Microsoft Entra built-in roles.
Cloud PC built-in roles
The following built-in roles are available for Cloud PC:
Cloud PC Administrator
Manages all aspects of Cloud PCs, like:
- OS image management
- Azure network connection configuration
- Provisioning
Cloud PC Reader
Views Cloud PC data available in the Windows 365 node in Microsoft Intune, but can’t make changes.
Windows 365 Network Interface Contributor
The Windows 365 Network Interface Contributor role is assigned to the resource group associated with the Azure network connection (ANC). This role allows the Windows 365 service to create and join the NIC and manage deployment in the resource group. This role is a collection of the minimum permissions required to operate Windows 365 when using an ANC.
| Action type | Permissions |
|---|---|
| actions | Microsoft.Resources/subscriptions/resourcegroups/read Microsoft.Resources/deployments/read Microsoft.Resources/deployments/write Microsoft.Resources/deployments/delete Microsoft.Resources/deployments/operations/read Microsoft.Resources/deployments/operationstatuses/read Microsoft.Network/locations/operations/read Microsoft.Network/locations/operationResults/read Microsoft.Network/locations/usages/read Microsoft.Network/networkInterfaces/write Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/delete Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action Microsoft.Network/networkInterfaces/effectiveRouteTable/action |
| notActions | None |
| dataActions | None |
| notDataActions | None |
Windows 365 Network User
The Windows 365 Network User role is assigned to the virtual network associated with the ANC. This role allows the Windows 365 service to join the NIC to the virtual network. This role is a collection of the minimum permissions required to operate Windows 365 when using an ANC.
| Action type | Permissions |
|---|---|
| actions | Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/usages/read Microsoft.Network/virtualNetworks/subnets/join/action |
| notActions | None |
| dataActions | None |
| notDataActions | None |
Custom roles
You can create custom roles for Windows 365 in Microsoft Intune admin center. For more information, see Create a custom role.
The following permissions are available when creating custom roles.
| Permission | Description |
|---|---|
| ActionStatus/Read | Read the Cloud PC Action Status reports. |
| AdminHighlights/Operate | Retrieve actions that have been taken to manage admin highlights and the properties of admin highlights |
| AuditData/Read | Read the audit logs of Cloud PC resources in your tenant. |
| Azure Network Connections/Create | Create an on-premises connection for provisioning Cloud PCs. Subscription owner or user access administrator Azure role is also required to create an on-premises connection. |
| Azure Network Connections/Delete | Delete a specific on-premises connection. Reminder: You can't delete a connection in use. Subscription owner or user access administrator Azure role is also required to delete an on-premises connection. |
| Azure Network Connections/Read | Read the properties of on-premises connections. |
| Azure Network Connections/RunHealthChecks | Run health checks on a specific on-premises connection. Subscription owner or user access administrator Azure role is also required to run health checks. |
| Azure Network Connections/Update | Update the properties of a specific on-premises connection. Subscription owner or user access administrator Azure role is also required to update an on-premises connection. |
| Azure Network Connections/UpdateAdDomainPassword | Update Active Directory domain password of a specific on-premises connection. |
| BulkActions/Read | Read the properties of Cloud PC Bulk Actions. |
| BulkActions/Write | Create a new Cloud PC bulk action. |
| CloudApps/Create | Create a new cloud app. |
| CloudApps/Delete | Delete a cloud app. |
| CloudApps/Publish | Publish a cloud app. |
| CloudApps/Read | Read the properties of a cloud app or a discovered app. |
| CloudApps/Reset | Reset a cloud app. |
| CloudApps/Unpublish | Unpublish a cloud app. |
| CloudApps/Update | Update the properties of a cloud app. |
| CloudPCs/ChangeUserAccountType | Change user account type between local administrator and standard user of a Cloud PC in your tenant. |
| CloudPCs/CheckAgentStatus | Trigger agent status checks for Cloud PCs in your tenant. |
| CloudPCs/CreateSnapshot | Manually create snapshot for Cloud PCs in your tenant. |
| CloudPCs/Deprovision | Deprovision Cloud PCs in your tenant. |
| CloudPCs/DisasterRecoveryFailback | Deactivate cross region disaster recovery for Cloud PCs in your tenant. |
| CloudPCs/DisasterRecoveryFailover | Activate cross region disaster recovery for Cloud PCs in your tenant. |
| CloudPCs/EndGracePeriod | End grace period for Cloud PCs in your tenant. |
| CloudPCs/GetCloudPcLaunchInfo | Get CloudPC Launch information in your tenant. |
| CloudPCs/ModifyDiskEncryptionType | Modify Cloud PCs disk encryption type in your tenant. |
| CloudPCs/PlaceUnderReview | Set Cloud PCs under review in your tenant. |
| CloudPCs/PowerOff | Power off Cloud PCs in your tenant. |
| CloudPCs/PowerOn | Power on Cloud PCs in your tenant. |
| CloudPCs/Provision | Provision Cloud PCs in your tenant. |
| CloudPCs/Read | Read the properties of Cloud PCs in your tenant. |
| CloudPCs/Reboot | Reboot Cloud PCs in your tenant. |
| CloudPCs/ReinstallAgent | Reinstall agent for Cloud PCs in your tenant. |
| CloudPCs/Rename | Rename Cloud PCs in your tenant. |
| CloudPCs/Reprovision | Reprovision Cloud PCs in your tenant. |
| CloudPCs/Resize | Resize Cloud PCs in your tenant. |
| CloudPCs/Restore | Restore Cloud PCs in your tenant. |
| CloudPCs/RetrieveAgentStatus | Retrieve agent status for Cloud PCs in your tenant. |
| CloudPCs/RetryPartnerAgentInstallation | Attempt to re-install party partner agents in a Cloud PC which were failed to install. |
| CloudPCs/SetDeviceName | Set the actual device name of Cloud PCs in your tenant. |
| CloudPCs/Start | Start Cloud PCs in your tenant. |
| CloudPCs/Stop | Stop Cloud PCs in your tenant. |
| CloudPCs/Troubleshoot | Troubleshoot Cloud PCs in your tenant. |
| CloudPCUserSettingsPersistence/Delete | Delete the saved user storage linked to a Cloud PC’s provisioning policy. |
| CloudPCUserSettingsPersistence/Read | Read the Cloud PC user experience sync storage, including total and used storage, and individual user storage allocations. |
| CloudPCUserSettingsPersistence/Update | Update the Cloud PC user experience sync configuration, including auto cleanup settings and dynamic sizing. |
| CrossRegionDisasterRecovery/Read | Read the Windows 365 Cloud PC Cross Region Disaster Recovery reports. |
| Device Images/Create | Upload a custom OS image that you can later provision on Cloud PCs. |
| Device Images/Delete | Delete an OS image from Cloud PC. |
| Device Images/Read | Read the properties of Cloud PC device images. |
| Device Images/Update | Updates the properties of a Cloud PC device image. Currently, only the scopeIds property can be modified using the PATCH method. |
| DeviceRecommendation/Read | Read CloudPCs device recommendation related reports. |
| External Partner Settings/Create | Create a new Cloud PC external partner setting. |
| External Partner Settings/Read | Read the properties of a Cloud PC external partner setting. |
| External Partner Settings/Update | Update the properties of a Cloud PC external partner setting. |
| FrontLineServicePlans/Read | Read the properties of Cloud PC Front Line Service Plans. |
| FrontlineReports/Read | Read the Windows 365 Cloud PC Frontline reports. |
| InaccessibleReports/Read | Read the inaccessible Cloud PCs reports. |
| MaintenanceWindows/Assign | Assign a Cloud PC maintenance window to user groups. |
| MaintenanceWindows/Create | Create a new Cloud PC maintenance window. |
| MaintenanceWindows/Delete | Delete a Cloud PC maintenance window. You can't delete a maintenance window that's in use. |
| MaintenanceWindows/Read | Read the properties of a Cloud PC maintenance window. |
| MaintenanceWindows/Update | Update the properties of a Cloud PC maintenance window. |
| ManagedLicenses/Read | Read the properties of the Windows365 managed service plans. |
| Organization Settings/Read | Read the properties of Cloud PC organization settings. |
| Organization Settings/Update | Update the properties of Cloud PC organization settings. |
| PerformanceReports/Read | Read the Windows 365 Cloud PC remote connections related reports. |
| Provisioning Policies/Apply | Apply current provisioning policy config to Cloud PCs in your tenant. |
| Provisioning Policies/Assign | Assign a Cloud PC provisioning policy to user groups. |
| Provisioning Policies/Create | Create a new Cloud PC provisioning policy. |
| Provisioning Policies/Delete | Delete a Cloud PC provisioning policy. You can't delete a policy that's in use. |
| Provisioning Policies/Read | Read the properties of a Cloud PC provisioning policy. |
| Provisioning Policies/Retry | Retry the provisioning operation for Cloud PCs that failed. |
| Provisioning Policies/Update | Update the properties of a Cloud PC provisioning policy. |
| Provisioning Policies (Agents)/Create | Create a new Cloud PC pool. |
| Provisioning Policies (Agents)/Delete | Delete a Cloud PC pool. |
| Provisioning Policies (Agents)/Read | Read the properties of a Cloud PC pool. |
| Provisioning Policies (Agents)/Update | Update the properties of a Cloud PC pool. |
| Role Assignments/Create | Create a new Cloud PC role assignment. |
| Role Assignments/Delete | Delete a specific Cloud PC role assignment. |
| Role Assignments/Update | Update the properties of a specific Cloud PC role assignment. |
| Roles/Create | Create role for Cloud PC. Create operations can be performed on a Cloud PC resource (or entity). |
| Roles/Delete | Delete role for Cloud PC. Delete operations can be performed on a Cloud PC resource (or entity). |
| Roles/Read | View permissions, role definitions, and role assignments for Cloud PC role. View operation or action that can be performed on a Cloud PC resource (or entity). |
| Roles/Update | Update role for Cloud PC. Update operations can be performed on a Cloud PC resource (or entity). |
| ServicePlan/Read | Read the service plans of Cloud PC. |
| Settings/Assign | Assign a Cloud PC settings profile to Entra groups. |
| Settings/Create | Create a new Cloud PC settings profile. |
| Settings/Delete | Delete a Cloud PC settings profile. |
| Settings/Read | Read the properties of a Cloud PC settings profile. |
| Settings/Update | Update the properties of a Cloud PC settings profile. |
| SharedUseLicenseUsageReports/Read | Read the Windows 365 Cloud PC Shared use license usage related reports. |
| SharedUseServicePlans/Read | Read the properties of Cloud PC Shared Use Service Plans. |
| Snapshot/Import | Import the snapshot taken from azure virtual machine. |
| Snapshot/PurgeImportedSnapshot | Delete the customer imported snapshots for Cloud PC provisioning. Note that having this permission only allows deleting imported snapshots. |
| Snapshot/Read | Read the Snapshot of Cloud PC. |
| Snapshot/Share | Share the Snapshot of Cloud PC. |
| Supported Region/Read | Read the supported regions of Cloud PC. |
| User Settings/Assign | Assign a Cloud PC user setting to user groups. |
| User Settings/Create | Create a new Cloud PC user setting. |
| User Settings/Delete | Delete a Cloud PC user setting. |
| User Settings/Read | Read the properties of a Cloud PC user setting. |
| User Settings/Update | Update the properties of a Cloud PC user setting. |
| Webhooks/Create | Create a webhook subscription for Microsoft Power Platform. |
| Webhooks/Delete | Delete a webhook subscription for Microsoft Power Platform. |
To create a provisioning policy, an admin needs the following permissions:
- Provisioning Policies/Read
- Provisioning Policies/Create
- Azure Network Connections/Read
- Supported Region/Read
- Device Images/Read
Migrating existing permissions
For ANCs created before November 26, 2023, the Network Contributor role is used to apply permissions on both the Resource Group and Virtual Network. To apply to the new RBAC roles, you can retry the ANC health check. The existing roles must be manually removed.
To manually remove the existing roles and add the new roles, refer to the following table for the existing roles used on each Azure resource. Before removing the existing roles make sure that the updated roles are assigned.
| Azure resource | Existing role (before November 26, 2023) | Updated role (after November 26, 2023) |
|---|---|---|
| Resource group | Network Contributor | Windows 365 Network Interface Contributor |
| Virtual network | Network Contributor | Windows 365 Network User |
| Subscription | Reader | Reader |
For more details about removing a role assignment from an Azure resource, see Remove Azure role assignments.
Scope tags
For RBAC, roles are only part of the equation. While roles work well to define a set of permissions, scope tags help define visibility of your organization’s resources. Scope tags are most helpful when organizing your tenant to have users scoped to certain hierarchies, geographical regions, business units, and so on.
Use Intune to create and manage scope tags. For more information on how scope tags are created and managed, see Use role-based access control (RBAC) and scope tags for distributed IT.
In Windows 365, scope tags can be applied to the following resources:
- Provisioning policies
- Azure network connections (ANC)
- Cloud PCs
- Custom images
- Windows 365 RBAC role assignments
To make sure that both the Intune-owned All devices list and Windows 365-owned All Cloud PCs list show the same Cloud PCs based on scope, follow these steps after creating your scope tags and provisioning policy:
- Create a Microsoft Entra ID dynamic device group with rule that enrollmentProfileName equals the exact name of the provisioning policy created.
- Assign the created scope tag to the dynamic device group.
- After the Cloud PC is provisioned and enrolled into Intune, both the All Devices list and All Cloud PCs list should display the same Cloud PCs.
If you add new scope tags to a provisioning policy, make sure you also add the scope tags to the Intune dynamic group. This addition makes sure the dynamic group honors the new scope tags. Also, check on any Cloud PCs that may have unique scope tags added to them to make sure they're still there after any updates.
To make sure that Windows 365 can honor changes to Intune scope tags, this data is synced from Intune. For more information, see Privacy, customer data, and customer content in Windows 365.
To let scoped administrators view which scope tags are assigned to them and the objects within their scope, they must be assigned one of the following roles:
- Intune read only
- Cloud PC reader/administrator
- A custom role with similar permissions.
Next steps
Role-based access control (RBAC) with Microsoft Intune.