Delegated access in Azure Virtual Desktop
Azure Virtual Desktop has a delegated access model that lets you define the amount of access a particular user is allowed to have by assigning them a role. A role assignment has three components: security principal, role definition, and scope. The Azure Virtual Desktop delegated access model is based on the Azure RBAC model. To learn more about specific role assignments and their components, see the Azure role-based access control overview.
Azure Virtual Desktop delegated access supports the following values for each element of the role assignment:
- Security principal
- Users
- User groups
- Service principals
- Role definition
- Built-in roles
- Custom roles
- Scope
- Host pools
- Application groups
- Workspaces
PowerShell cmdlets for role assignments
Before you start, make sure to follow the instructions in Set up the PowerShell module to set up the Azure Virtual Desktop PowerShell module if you haven't already.
Azure Virtual Desktop uses Azure role-based access control (Azure RBAC) while publishing application groups to users or user groups. The Desktop Virtualization User role is assigned to the user or user group and the scope is the application group. This role gives the user special data access on the application group.
Run the following cmdlet to add Microsoft Entra users to an application group:
New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
Run the following cmdlet to add Microsoft Entra user group to an application group:
New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
Next steps
For a more complete list of PowerShell cmdlets each role can use, see the PowerShell reference.
For a complete list of roles supported in Azure RBAC, see Azure built-in roles.
For guidelines for how to set up an Azure Virtual Desktop environment, see Azure Virtual Desktop environment.