Explore role-based access control
Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. You can assign roles for your Cloud PCs by using the Microsoft Intune admin center.
Windows 365 Administrator role
Windows 365 supports the Windows 365 Administrator role available for role assignment through the Microsoft Admin Center and Microsoft Entra ID. With this role, you can manage Windows 365 Cloud PCs for both Enterprise and Business editions. The Windows 365 Administrator role can grant more scoped permissions than other Microsoft Entra roles like Global Administrator. For more information, see Microsoft Entra built-in roles.
Cloud PC built-in roles
The following built-in roles are available for Cloud PC:
Cloud PC Administrator
The Cloud PC Administrator can manage all aspects of Cloud PCs, like:
- OS image management.
- Azure network connection configuration.
- Provisioning.
Cloud PC Reader
The Cloud PC Reader can view Cloud PC data available in the Windows 365 node in Microsoft Intune, but can’t make changes.
Windows 365 Network Interface Contributor
The Windows 365 Network Interface Contributor role is assigned to the resource group associated with the Azure network connection (ANC). This role is a collection of the minimum permissions required for the Windows 365 service to create and join the NIC and manage deployment in the resource group.
Windows 365 Network User
The Windows 365 Network User role is assigned to the virtual network associated with the ANC. This role is a collection of the minimum permissions required for the Windows 365 service to join the NIC to the virtual network.
Custom permissions
Windows 365 requires Azure role-based access control (RBAC) permissions for the following operations.
- Create an Azure network connection (ANC).
- Add a custom image.
Create Azure network connections
You create ANCs to define the connection between your network and the Windows 365 system so that Cloud PCs can be successfully provisioned. When you create an ANC, the Windows 365 service principal requires the following permissions:
- Reader permission on the Azure subscription:This permission is used to simplify the flow when adding a custom image.
- Windows 365 Network Interface Contributor role on the specified resource group: This permission is used to create network interface cards in the selected resource group.
- Windows 365 Network User role on the virtual network: This permission is used to attach the created network interface cards to the selected virtual network.
When you create an ANC, you must be signed in with an account that is an Owner or admin of the subscription.
Not
When you use Microsoft hosted network option with a gallery image, you don't need to grant the Windows 365 service principal these permissions.
For more information, see Create Azure network connection.
Add a custom image
Not
If you already created an ANC for the image's associated Azure subscription, no new permissions are needed to add a custom image.
When you use Windows 365 with a Microsoft hosted network and a custom image, the Windows 365 service principal requires the following permission to upload a custom image:
- Reader of the subscription.
When you upload a custom image, you must be signed in with an account that is an Owner or admin of the subscription.
Additional resources
For more information about Windows 365 RBAC, see: Windows 365 Role-based access control.
For more information about using RBAC with Intune, see: Role-based access control (RBAC) with Microsoft Intune.
For more information about creating custom roles in Intune, see: Create a custom role in Intune.
For more information about Azure role definitions, see: Understand Azure role definitions.
For more information about Azure RBAC, see: What is Azure role-based access control?