How to create delegated admin for Windows Virtual Desktop in Azure

Most organisations will have some form of delegated administration for their on-premises Virtual Desktop estate. Likewise most organisations doing anything in Azure will also have delegation to enable different administrators access to just the services they need to see from within the Azure Portal

This is all made possible through the Azure Role Based Access Control Service.
One of the main benefits of the Windows Virtual Desktop Spring Update being integrated with Azure Resource Manager (ARM) is that you can now apply RBAC against all of the Windows Virtual Desktop objects.

This allows you to set granular access permissions that align with your administrative set-up in any format that works for your organisation - be that specific object, technology, business unit or project based.
So how can you set this up for Windows Virtual Desktop? As part of the move to ARM we have created a new ARM Resource provider called "Microsoft.DesktopVirtualization". This Resource provider will provide the ability to add (or exclude) low level permissions to all Windows Virtual Desktop objects, by creating a new Custom role.

This Resource provider can be viewed in your Azure subscription. Go to: Subscriptions > "Your Subscription" > Resource providers and then search in the Filter by name... field for "Desktop", which will show this:
So how do you create a delegated admin model for your Windows Virtual Desktop Admins?
We do this by creating a new custom role. We then add permissions to that custom role, and finally add user accounts to the custom role

We will now create a full Windows Virtual Desktop admin role, and in the process see how easy it is to create further roles with lower level permissions to just one set of Windows Virtual Desktop objects.

In the Azure portal click on Subscriptions
Select your subscription, and then click on Access control (IAM) in the top section.

 Click on Roles. This will show all existing Roles in your subscription. 

At the top click on +Add and select Add custom role

 Start by giving your role a name and description and select Start from scratch for the baseline permissions

Click on Next

In Permissions click on the + Add permission button, and in the Add permissions blade search for "desktop" then click on Microsoft.DesktopVirtualization
 This will now show all of the permissions for all Windows Virtual Desktop Objects.
As this is the full admin role just put a tick in the Permission box at the top.

However if you wanted to create a role that only has limited permissions i.e. just being able to administer Application Groups you would just select those permissions. i.e. everything that starts with "Microsoft.DesktopVirtualization/applicationgroups"

This has shown all of the individual permissions that are possible to apply, and you can create roles with the minimal permissions required.
Click in Add at the bottom, and then Next

In Assignable scopes you can apply this custom role to any subscription in your tenant, as well as being more granular and applying this to Resource Groups within those subscriptions.

Add any additional subscriptions or resource groups and click on Next

On the JSON tab you can download a CustomerRoleDefinition.json file so that you can import this later or share with others. Click on Download and we will use this later.

Click on  Review + create and then the Create button.
This will create the new custom role which will take a few minutes to apply

Click on OK

We now need to add user accounts to this role

Click on the + Add button and select Add role assignment.

In the Add role assignment in the Role field start typing the name of your role and in Select start typing the name of your user or group, select that user or group and click on the Save button at the bottom

To check this or any users access, click on Check access and enter your user or group name

Select that user or group and on the right you will see the role assignments

To modify the permissions for a role you just need to go back to your Subscriptions Access Control (IAM) blade find your role and on the far right click on the ellipse

If you select Edit you will be taken back to the screens above where you can make all of the modifications set during the creation process.

If you click on Permissions this will show you each objects permissions so that you can review what permissions this role has been provided.

Now log into the Azure portal as that user and go to the Windows Virtual Desktop part of the Azure portal and they will see the relevant objects. If you have created a Windows Virtual Desktop - Application Group custom role then they wont see anything in Host pools or Workspaces.

If this user account has no other permissions to see any other Azure object they are effectively just a WVD admin, and as the all up Azure administrator you are gauranteed that users with this Windows Virtual Desktop custom role will only ever see those objects in the portal.

A couple of points worth noting.

As can be seen you can create a role with a limited set of permissions. If a user account only has permissions to see certain Windows Virtual Desktop objects then in the Azure portal that is all they will see. This is perfect for WVD support etc. 

But if you need a role that allows certain admins the permissions to also create new host pools, this task will require the permissions to create Session host virtual machines and potentially a virtual network and resource group etc. So for a role that needs these permissions you can add the required permissions for virtual machines etc to the same WVD admin custom role.

Secondly, in the picture above at the bottom is a section called Resource Type (Data)
This is different to the top section which is Resource Type (Management) 
The Management section provides admin permissions to the objects, whilst the Data type provides user access to the applications. This is applied when you assign user accounts to an Application Group

How do you automate this, or how can you share this custom role with others?

Well you earlier downloaded the JSON file for this custom role. Just to show how this works, go back to your Access Control (IAM) section of your subscription and click on + Add and Add custom role

Go straight to the Baseline permissions and select "Start from JSON", browse for the downloaded JSON file and all of the information in the JSON file will be populated in the relevant sections

Complete this as above. If you are applying this to a different subscription you will need to change the subscription in the Assignable scopes.

If you are sharing this JSON file you may want to remove your subscription ID inside the JSON file. Just remove everything within the [] brackets:

I have added a number of pre-configured custom role definitions to speed this up for you:


  1. Hi , I want to customize a role in such a way that service desk guys can only remove the tag and turn on the machine.

    Example : In our environment , we have enabled shutdown / start script for WVD but emergency or in any p1 related issue if team needs the WVD to be on they can call service desk and then SD can remove the TAG and start the machine.

    Need your assistance to create such kind of role , For both non arm and ARM WVDs


Post a Comment

Popular posts from this blog

Reassign a WVD Personal Session Host

AVD and Azure Active Directory Domain Join public preview

How to deploy a Windows Virtual Desktop host pool using Infrastructure as code from Azure DevOps