Planning and Implementing Azure Roles and Role-Based Access Control (RBAC) for Azure Virtual Desktop
Planning and Implementing Azure Roles and Role-Based Access Control (RBAC) for Azure Virtual Desktop

An important aspect of any Azure Virtual Desktop (AVD) environment is ensuring it is accessible and secure to not only meet best practices standards but also meet your organization’s requirements. To get the most out of this cloud-hosted service, it is important to use the correct features and components that make up the AVD environment, which will, in turn, give a much better experience for your users. 

 AVD allows organizations to set up redundant, scalable, and agile environments that offer the following key capabilities:

  • Configure an unlimited number of host pools that can accommodate different workloads within an organization
  • Create custom images for your multiple workloads or utilize the ready to deploy images in the Azure Gallery for testing
  • Integrate Azure services to automate updates, power on/off, and autoscaling to help reduce costs and admin overhead
  • Provision Personal (persistent) desktops which will allow for individual ownership

From a management perspective, you can utilize the Azure Portal, PowerShell, and REST interfaces to manage and implement AVD resources. You can publish a fully-featured desktop or single remote application for different sets of users. You also can assign multiple users to multiple application groups to reduce the number of images.

This course will help you implement access to your Azure Virtual Desktop environment and understand how it integrates with the other Azure services. It covers understanding Azure roles and RBAC for Azure Virtual Desktop, managing roles on session hosts, and configuring user restrictions via group policy and Azure policy.

Learning Objectives

  • Plan and implement Azure roles and role-based access control (RBAC) for Azure Virtual Desktop
  • Manage roles, groups, and rights assignment on Azure Virtual Desktop sessions
  • Configure user restrictions by using AD group policies and Azure policies

Intended Audience

This course is intended for anyone who wants to become an Azure Virtual Desktop Specialist and/or is preparing to take the AZ-140 exam.


To get the most from this course, it is recommended that you have a good understanding of Azure administration, although this is not essential.


Welcome to this module on Planning and Implementing Azure Roles and Role-Based Access Control or RBAC for Azure Virtual Desktop. In this module, we'll cover the following topics, what is role-based access control or RBAC? We'll discuss some of the Azure Virtual Desktop specific built-in roles. Finally, we'll talk about delegated access in Azure Virtual Desktop.

Let's start by discussing what role-based access control, better known as RBAC, is. It allows you to manage who has access to resources within Azure. It is an authorization mechanism that is built on Azure Resource Manager, better known as ARM, that allows administrators to configure fine-grained access management to resources.

There are three elements to role-based access control. The first is a security principle, which represents some type of object, for example, a user or a group. The second type of element, is role definition, which is a collection or a set of permissions. Essentially a role definition lists the actions. For example, read, write or delete, that can be performed. The final element is a scope. This is a set of resources to which the access is applying to. There are different levels of scope, including management groups, subscriptions and resource groups.

In the next part of this course, we are going to look at some of the built-in roles that are relevant to Azure Virtual Desktop. We start off with desktop virtualization role, which has a reader role and a contributor role. The reader role allows you to view all aspects of the deployment, but not make any changes. The contributor role enables you to manage all parts of the deployment, however, it does not allow you to access to any of the compute resources.

The next relevant role is the desktop virtualization host pool role, which again, has a reader and contributor level access. The reader level allows you to view all aspects of the host pool only and not modify any settings, whereas a contributor role allows you to manage everything within the host pool. However, you do need an additional contributor role for the virtual machine, if you wish to create any VMs. The desktop application group role, is similar to the host pool role, in that it has both reader and contributor levels. With the reader level role, it allows you to view everything within the application group and the contributor level, allow you to manage everything within the application groups. However, if you wish to publish apps, you need to have the user access administrator role.

Next, we have the desktop virtualization workspace role, which again has two levels, reader and contributor. The reader level role allows you to view all aspects of the workspace but not adding anything. The contributor level role allows you to manage everything within the workspace. However, to obtain information on applications within that app group, you need to be assigned the application group reader role. There are two more roles that are relevant to Azure Virtual Desktop. The first is the desktop virtualization user session operator. This role allows you to manage user logins and to do tasks such as sending messages, disconnecting sessions, and remotely logging users off by sessions.

The final role is called desktop virtualization session host operator. This role will enable you to change drain mode and view and remove session hosts from a host pool. This level of access does not have right permissions, however, so you cannot add session host into the host pool. In the final section of this module, we are going to view delegated access with Azure Virtual Desktop.

Like role-based access control, delegated access has the same three elements, which are security principles, role definitions, and scope. Security principles have three values, which are all objects, including users, groups, and service principles. Role definitions have two type of roles. Either built-in roles, which we discussed in the previous section of this module and custom roles. These are roles you can customize with different permissions. Finally, we have the scope elements of delegated access. As mentioned earlier, this is the resources you assign the roles and permissions to, which include host pools, app groups, and workspaces.

About the Author

Shabaz Darr is a Senior Infrastructure Specialist at Netcompany based in the UK. He has 15 years plus experience working in the IT industry, 7 of those he has spent working with Microsoft Cloud Technologies in general, with a focus on MEM and IaaS. Shabaz is a Microsoft MVP in Enterprise Mobility with certifications in Azure Administration and Azure Virtual Desktop. During his time working with Microsoft Cloud, Shabaz has helped multiple public and private sector clients in the UK with designing and implementing secure Azure Virtual Desktop environments.