Delegated access in Azure Virtual Desktop
This content applies to Azure Virtual Desktop with Azure Resource Manager Azure Virtual Desktop objects. If you're using Azure Virtual Desktop (classic) without Azure Resource Manager objects, see this article.
Azure Virtual Desktop has a delegated access model that lets you define the amount of access a particular user is allowed to have by assigning them a role. A role assignment has three components: security principal, role definition, and scope. The Azure Virtual Desktop delegated access model is based on the Azure RBAC model. To learn more about specific role assignments and their components, see the Azure role-based access control overview.
Azure Virtual Desktop delegated access supports the following values for each element of the role assignment:
- Security principal
- User groups
- Service principals
- Role definition
- Built-in roles
- Custom roles
- Host pools
- App groups
PowerShell cmdlets for role assignments
Before you start, make sure to follow the instructions in Set up the PowerShell module to set up the Azure Virtual Desktop PowerShell module if you haven't already.
Azure Virtual Desktop uses Azure role-based access control (Azure RBAC) while publishing app groups to users or user groups. The Desktop Virtualization User role is assigned to the user or user group and the scope is the app group. This role gives the user special data access on the app group.
Run the following cmdlet to add Azure Active Directory users to an app group:
New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
Run the following cmdlet to add Azure Active Directory user group to an app group:
New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
For a more complete list of PowerShell cmdlets each role can use, see the PowerShell reference.
For a complete list of roles supported in Azure RBAC, see Azure built-in roles.
For guidelines for how to set up a Azure Virtual Desktop environment, see Azure Virtual Desktop environment.