Azure Virtual Desktop session Admin Access

Francine Pisano 1 Reputation point
2022-04-14T18:29:22.15+00:00

How do I give a developer admin access to his Azure Virtual Desktop session? He needs to be able to install applications without the UAC
coming up asking for the admin access.

Azure Virtual Desktop
Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,049 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prrudram-MSFT 15,851 Reputation points
    2022-04-15T10:36:01.753+00:00

    **Hello @Francine Pisano ,

    If the VM is AD joined (during deployment) by below method, then you must configure azure role assignments for users who are authorized to login in to the VM. With the RBAC role assignment of Virtual Machine Administrator Login, user can log in to an Azure virtual machine with administrator privileges.
    Check in case the accounts you are using does only have "Virtual Machine User Login" – Users with this role assigned can log in to an Azure virtual machine with regular user privileges.

    193429-image.png

    When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.

    A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see User Account Control security policy settings.**

    Please refer below links for more details:

    https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
    https://learn.microsoft.com/en-us/azure/virtual-desktop/rbac

    Hope this helps!

    Please "Accept as Answer" and Upvote if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.