Assign Azure RBAC roles or Microsoft Entra roles to the Azure Virtual Desktop service principals
Several Azure Virtual Desktop features require you to assign Azure role-based access control (Azure RBAC) roles or Microsoft Entra roles to one of the Azure Virtual Desktop service principals. Features that you need to assign a role to an Azure Virtual Desktop service principal include:
- App attach (when using Azure Files and your session hosts joined to Microsoft Entra ID).
- Autoscale.
- Session host update
- Start VM on Connect.
Tip
You can find which role or roles you need to assign to which service principal in the article for each feature. For a list of all the available Azure RBAC roles created specifically for Azure Virtual Desktop, see Built-in Azure RBAC roles for Azure Virtual Desktop. To learn more about Azure RBAC, see Azure RBAC documentation or for Microsoft Entra roles, see Microsoft Entra roles documentation.
Depending on when you registered the Microsoft.DesktopVirtualization resource provider, the service principal names begin with either Azure Virtual Desktop or Windows Virtual Desktop. Also, if you previously used both Azure Virtual Desktop classic and Azure Virtual Desktop (Azure Resource Manager), you see apps with the same name. You can make sure you're assigning roles to the correct service principal by checking its application ID. The application ID for each service principal is in the following table:
Service principal | Application ID |
---|---|
Azure Virtual Desktop Windows Virtual Desktop |
9cdead84-a844-4324-93f2-b2e6bb768d07 |
Azure Virtual Desktop Client Windows Virtual Desktop Client |
a85cf173-4192-42f8-81fa-777a763e6e2c |
Azure Virtual Desktop ARM Provider Windows Virtual Desktop ARM Provider |
50e95039-b200-4007-bc97-8d5790743a63 |
This article shows you how to assign Azure RBAC roles or Microsoft Entra roles to the correct Azure Virtual Desktop service principals by using the Azure portal, Azure CLI, or Azure PowerShell.
Prerequisites
Before you can assign a role to an Azure Virtual Desktop service principal, you need to meet the following prerequisites:
To assign Azure RBAC roles, you must have the
Microsoft.Authorization/roleAssignments/write
permission to an Azure subscription in order to assign roles on that subscription. This permission is part of the Owner or User Access Administrator built in roles.To assign Microsoft Entra roles, you must have the Privileged Role Administrator or Global Administrator role.
If you want to use Azure PowerShell or Azure CLI locally, see Use Azure CLI and Azure PowerShell with Azure Virtual Desktop to make sure you have the Az.DesktopVirtualization PowerShell module or desktopvirtualization Azure CLI extension installed. Alternatively, use the Azure Cloud Shell.
Assign an Azure RBAC role to an Azure Virtual Desktop service principal
To assign an Azure RBAC role to an Azure Virtual Desktop service principal, select the relevant tab for your scenario and follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.
Here's how to assign an Azure RBAC role to an Azure Virtual Desktop service principal scoped to a subscription using the Azure portal.
Sign in to the Azure portal.
In the search box, enter Microsoft Entra ID and select the matching service entry.
On the Overview page, in the search box for Search your tenant, enter the application ID for the service principal you want to assign from the earlier table.
In the results, select the matching enterprise application for the service principal you want to assign, starting either Azure Virtual Desktop or Windows Virtual Desktop.
Under properties, make a note of the name and the object ID. The object ID correlates to the application ID, and is unique to your tenant.
Go back to the search box, enter Subscriptions and select the matching service entry.
Select the subscription you want to add the role assignment to.
Select Access control (IAM), then select + Add followed by Add role assignment.
Select the role you want to assign to the Azure Virtual Desktop service principal, then select Next.
Ensure Assign access to is set to Microsoft Entra user, group, or service principal, then select Select members.
Enter the name of the enterprise application you made a note of earlier.
Select the matching entry from the results, then select Select. If you have two entries with the same name, select them both for now.
Review the list of members in the table. If you have two entries, remove the entry that doesn't match the object ID you made a note of earlier.
Select Next, then select Review + assign to complete the role assignment.
Assign a Microsoft Entra role to an Azure Virtual Desktop service principal
To assign a Microsoft Entra role to an Azure Virtual Desktop service principal, select the relevant tab for your scenario and follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.
Here's how to assign a Microsoft Entra role to an Azure Virtual Desktop service principal scoped to a tenant using the Azure portal.
Sign in to the Azure portal.
In the search box, enter Microsoft Entra ID and select the matching service entry.
Select Roles and administrators.
Search for and select the name of the role you want to assign. If you want to assign a custom role, see Create a custom role to create it first.
Select Add assignments.
In the search box, enter the application ID for the service principal you want to assign from the earlier table, for example 9cdead84-a844-4324-93f2-b2e6bb768d07.
Check the box next to the matching entry, then select Add to complete the role assignment.
Next steps
Learn more about the built-in Azure RBAC roles for Azure Virtual Desktop.