Role-based access control

Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. You can assign roles for your Cloud PCs by using the Microsoft Intune admin center.

When a user with the Subscription Owner or User Access Administrator role creates, edits, or retries an ANC, Windows 365 transparently assigns the required built-in roles the following resources (if they're not already assigned):

  • Azure Subscription
  • Resource group
  • Virtual network associated with the ANC

If you only have the Subscription Reader role, these assignments aren't automatic. Instead, you must manually configure the required built-in roles to the Windows First Party App in Azure.

For more information, see Role-based access control (RBAC) with Microsoft Intune.

Windows 365 Administrator role

Windows 365 supports the Windows 365 Administrator role available for role assignment through the Microsoft Admin Center and Microsoft Entra ID. With this role, you can manage Windows 365 Cloud PCs for both Enterprise and Business editions. The Windows 365 Administrator role can grant more scoped permissions than other Microsoft Entra roles like Global Administrator. For more information, see Microsoft Entra built-in roles.

Cloud PC built-in roles

The following built-in roles are available for Cloud PC:

Cloud PC Administrator

Manages all aspects of Cloud PCs, like:

  • OS image management
  • Azure network connection configuration
  • Provisioning

Cloud PC Reader

Views Cloud PC data available in the Windows 365 node in Microsoft Intune, but can’t make changes.

Windows 365 Network Interface Contributor

The Windows 365 Network Interface Contributor role is assigned to the resource group associated with the Azure network connection (ANC). This role allows the Windows 365 service to create and join the NIC and manage deployment in the resource group. This role is a collection of the minimum permissions required to operate Windows 365 when using an ANC.

Action type Permissions
actions Microsoft.Resources/subscriptions/resourcegroups/read
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/delete
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/deployments/operationstatuses/read
Microsoft.Network/locations/operations/read
Microsoft.Network/locations/operationResults/read
Microsoft.Network/locations/usages/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
Microsoft.Network/networkInterfaces/effectiveRouteTable/action
notActions None
dataActions None
notDataActions None

Windows 365 Network User

The Windows 365 Network User role is assigned to the virtual network associated with the ANC. This role allows the Windows 365 service to join the NIC to the virtual network. This role is a collection of the minimum permissions required to operate Windows 365 when using an ANC.

Action type Permissions
actions Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/usages/read
Microsoft.Network/virtualNetworks/subnets/join/action
notActions None
dataActions None
notDataActions None

Custom roles

You can create custom roles for Windows 365 in Microsoft Intune admin center. For more information, see Create a custom role.

The following permissions are available when creating custom roles.

Permission Description
Audit Data/Read Read the audit logs of Cloud PC resources in your tenant.
Azure Network Connections/Create Create an on-premises connection for provisioning Cloud PCs. Subscription owner or user access administrator Azure role is also required to create an on-premises connection.
Azure Network Connections/Delete Delete a specific on-premises connection. Reminder: You can't delete a connection in use. Subscription owner or user access administrator Azure role is also required to delete an on-premises connection.
Azure Network Connections/Read Read the properties of on-premises connections.
Azure Network Connections/Update Update the properties of a specific on-premises connection. Subscription owner or user access administrator Azure role is also required to update an on-premises connection.
Azure Network Connections/RunHealthChecks Run health checks on a specific on-premises connection. Subscription owner or user access administrator Azure role is also required to run health checks.
Azure Network Connections/UpdateAdDomainPassword Update Active Directory domain password of a specific on-premises connection.
Cloud PCs/Read Read the properties of Cloud PCs in your tenant.
Cloud PCs/Reprovision Reprovision Cloud PCs in your tenant.
Cloud PCs/Resize Resize Cloud PCs in your tenant.
Cloud PCs/EndGracePeriod End grace period for Cloud PCs in your tenant.
Cloud PCs/Restore Restore Cloud PCs in your tenant.
Cloud PCs/Reboot Reboot Cloud PCs in your tenant.
Cloud PCs/Rename Rename Cloud PCs in your tenant.
Cloud PCs/Troubleshoot Troubleshoot Cloud PCs in your tenant.
Cloud PCs/ChangeUserAccountType Change user account type between local administrator and standard user of a Cloud PC in your tenant.
Cloud PCs/PlaceUnderReview Set Cloud PCs under review in your tenant.
Cloud PCs/RetryPartnerAgentInstallation Attempt to reinstall party partner agents in a Cloud PC which failed to install.
Cloud PCs/ApplyCurrentProvisioningPolicy Apply current provisioning policy config to Cloud PCs in your tenant.
Cloud PCs/CreateSnapshot Manually create snapshot for Cloud PCs in your tenant.
Device Images/Create Upload a custom OS image that you can later provision on Cloud PCs.
Device Images/Delete Delete an OS image from Cloud PC.
Device Images/Read Read the properties of Cloud PC device images.
External Partner Settings/Read Read the properties of a Cloud PC external partner setting.
External Partner Settings/Create Create a new Cloud PC external partner setting.
External Partner Settings/Update Update the properties of a Cloud PC external partner setting.
Organization Settings/Read Read the properties of Cloud PC organization settings.
Organization Settings/Update Update the properties of Cloud PC organization settings.
Performance Reports/Read Read the Windows 365 Cloud PC remote connections related reports.
Provisioning Policies/Assign Assign a Cloud PC provisioning policy to user groups.
Provisioning Policies/Create Create a new Cloud PC provisioning policy.
Provisioning Policies/Delete Delete a Cloud PC provisioning policy. You can't delete a policy that's in use.
Provisioning Policies/Read Read the properties of a Cloud PC provisioning policy.
Provisioning Policies/Update Update the properties of a Cloud PC provisioning policy.
Reports/Export Export Windows 365 related reports.
Role Assignments/Create Create a new Cloud PC role assignment.
Role Assignments/Update Update the properties of a specific Cloud PC role assignment.
Role Assignments/Delete Delete a specific Cloud PC role assignment.
Roles/Read View permissions, role definitions, and role assignments for Cloud PC role. View operation or action that can be performed on a Cloud PC resource (or entity).
Roles/Create Create role for Cloud PC. Create operations can be performed on a Cloud PC resource (or entity).
Roles/Update Update role for Cloud PC. Update operations can be performed on a Cloud PC resource (or entity).
Roles/Delete Delete role for Cloud PC. Delete operations can be performed on a Cloud PC resource (or entity).
Service Plan/Read Read the service plans of Cloud PC.
SharedUseLicenseUsageReports/Read Read the Windows 365 Cloud PC Shared use license usage related reports.
SharedUseServicePlans/Read Read the properties of Cloud PC Shared Use Service Plans.
Snapshot/Read Read the Snapshot of Cloud PC.
Snapshot/Share Share the Snapshot of Cloud PC.
Supported Region/Read Read the supported regions of Cloud PC.
User Settings/Assign Assign a Cloud PC user setting to user groups.
User Settings/Create Create a new Cloud PC user setting.
User Settings/Delete Delete a Cloud PC user setting.
User Settings/Read Read the properties of a Cloud PC user setting.
User Settings/Update Update the properties of a Cloud PC user setting.

To create a provisioning policy, an admin needs the following permissions:

  • Provisioning Policies/Read
  • Provisioning Policies/Create
  • Azure Network Connections/Read
  • Supported Region/Read
  • Device Images/Read

Migrating existing permissions

For ANCs created before November 26, 2023, the Network Contributor role is used to apply permissions on both the Resource Group and Virtual Network. To apply to the new RBAC roles, you can retry the ANC health check. The existing roles must be manually removed.

To manually remove the existing roles and add the new roles, refer to the following table for the existing roles used on each Azure resource. Before removing the existing roles make sure that the updated roles are assigned.

Azure resource Existing role (before November 26, 2023) Updated role (after November 26, 2023)
Resource group Network Contributor Windows 365 Network Interface Contributor
Virtual network Network Contributor Windows 365 Network User
Subscription Reader Reader

For more details about removing a role assignment from an Azure resource, see Remove Azure role assignments.

Scope tags

For RBAC, roles are only part of the equation. While roles work well to define a set of permissions, scope tags help define visibility of your organization’s resources. Scope tags are most helpful when organizing your tenant to have users scoped to certain hierarchies, geographical regions, business units, and so on.

Use Intune to create and manage scope tags. For more information on how scope tags are created and managed, see Use role-based access control (RBAC) and scope tags for distributed IT.

In Windows 365, scope tags can be applied to the following resources:

  • Provisioning policies
  • Azure network connections (ANC)
  • Cloud PCs
  • Custom images
  • Windows 365 RBAC role assignments

To make sure that both the Intune-owned All devices list and Windows 365-owned All Cloud PCs list show the same Cloud PCs based on scope, follow these steps after creating your scope tags and provisioning policy:

  1. Create a Microsoft Entra ID dynamic device group with rule that enrollmentProfileName equals the exact name of the provisioning policy created.
  2. Assign the created scope tag to the dynamic device group.
  3. After the Cloud PC is provisioned and enrolled into Intune, both the All Devices list and All Cloud PCs list should display the same Cloud PCs.

If you add new scope tags to a provisioning policy, make sure you also add the scope tags to the Intune dynamic group. This addition make ssure the dynamic group honors the new scope tags. Also, check on any Cloud PCs that may have unique scope tags added to them to make sure they're still there after any updates.

To make sure that Windows 365 can honor changes to Intune scope tags, this data is synced from Intune. For more information, see Privacy, customer data, and customer content in Windows 365.

To let scoped administrators view which scope tags are assigned to them and the objects within their scope, they must be assigned one of the following roles:

  • Intune read only
  • Cloud PC reader/administrator
  • A custom role with similar permissions.

Next steps

Role-based access control (RBAC) with Microsoft Intune.

Understand Azure role definitions

What is Azure role-based access control (Azure RBAC)?