Managing Roles, Groups, and Rights Assignment on Azure Virtual Desktop Session Hosts
Start course

An important aspect of any Azure Virtual Desktop (AVD) environment is ensuring it is accessible and secure to not only meet best practices standards but also meet your organization’s requirements. To get the most out of this cloud-hosted service, it is important to use the correct features and components that make up the AVD environment, which will, in turn, give a much better experience for your users. 

 AVD allows organizations to set up redundant, scalable, and agile environments that offer the following key capabilities:

  • Configure an unlimited number of host pools that can accommodate different workloads within an organization
  • Create custom images for your multiple workloads or utilize the ready to deploy images in the Azure Gallery for testing
  • Integrate Azure services to automate updates, power on/off, and autoscaling to help reduce costs and admin overhead
  • Provision Personal (persistent) desktops which will allow for individual ownership

From a management perspective, you can utilize the Azure Portal, PowerShell, and REST interfaces to manage and implement AVD resources. You can publish a fully-featured desktop or single remote application for different sets of users. You also can assign multiple users to multiple application groups to reduce the number of images.

This course will help you implement access to your Azure Virtual Desktop environment and understand how it integrates with the other Azure services. It covers understanding Azure roles and RBAC for Azure Virtual Desktop, managing roles on session hosts, and configuring user restrictions via group policy and Azure policy.

Learning Objectives

  • Plan and implement Azure roles and role-based access control (RBAC) for Azure Virtual Desktop
  • Manage roles, groups, and rights assignment on Azure Virtual Desktop sessions
  • Configure user restrictions by using AD group policies and Azure policies

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist and/or is preparing to take the AZ-140 exam.


To get the most from this course, it is recommended that you have a good understanding of Azure administration, although this is not essential.


Welcome to this module on managing roles, groups, and rights assignment on Azure Virtual Desktop. In this module, we'll cover the following topics, which will both be demo-focused. We will look at how to add users to the Azure Virtual Desktop-specific roles. Finally, we'll walk through how to add users and groups to Azure Virtual Desktop host pools, to allow access to session hosts.

In this first section, we are going to show how to add users to the Azure Virtual desktop specific groups we have discussed in the planning and implementing Azure roles and role-based access control, RBAC, for Azure Virtual Desktop module. Here we are in the Azure portal. We first need to navigate to the Azure Virtual Desktop service. We have two options, we can either user search at the top, where we can type Azure Virtual Desktop, like this, and click on the service. Or, like me, if you have it as a shortcut on the dashboard, you can just click this, and it'll take you to the service as well.

Next, we'll click on Host pools in the left-hand pane. Now we can see our host pools in the center. In this case, we have a single host pool, click on the host pool, and we now see the overview for this resource. On the left-hand pane, we need to look for access control, IAM, to the access control service for this host pool.

Now we want to try and add a user to one of the desktop virtualization role assignments we discussed in an earlier module, so we will select Add, and then Add role assignment. We are now on the Add role assignment menu, and we can see all the available roles here, including the desktop virtualization roles. Let's select one at random. Let's say, the host pool reader role, then click on Next. We now have the option of either adding users, groups, or service principle to this role, or we can add a managed identity. In our case, we want to add a user, so we'll click on Select members and add our user. We then click on the Review and assign button, and the same again. We can now see the desktop virtualization host pool reader role has appeared with a user we added.

This user now has read-only access to all the host pool resources. In this section, we are going to look at how we add a group to the host pool assignment, which will allow them access to log into the relevant session hosts. We first need to make sure we have created a security group, either on on-premises active directory, that I synchronized with Azure AD, or a cloud-based security group in Azure AD In our example, we have created a cloud security group in Azure AD, called AVD Users. We need to browse to the Azure Virtual Desktop service, as we did previously.

From here, we select the Application group. On the left-hand pane of our application group, we'll navigate down to Assignments, where we can now click on Add. We now find the security group called AVD Users and select this. You should know that you can assign users to the application group directly, as well. However, it is a best practice recommendation to your security groups, as it is a less administrative overhead.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.