แก้ไข

แชร์ผ่าน


Built-in Azure RBAC roles for Azure Virtual Desktop

Azure Virtual Desktop uses Azure role-based access control (RBAC) to control access to resources. There are many built-in roles for use with Azure Virtual Desktop that are a collection of permissions. You assign roles to users and admins and these roles give permission to carry out certain tasks. To learn more about Azure RBAC, see What is Azure RBAC?.

The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Azure Virtual Desktop has more roles that let you separate management roles for host pools, application groups, and workspaces. This separation lets you have more granular control over administrative tasks. These roles are named in compliance with Azure's standard roles and least-privilege methodology. Azure Virtual Desktop doesn't have a specific Owner role, but you can use the general Owner role for the service objects.

The built-in roles for Azure Virtual Desktop and the permissions for each one are detailed in this article. You can assign each role to the scope you need. Some Azure Desktop features have specific requirements for the assigned scope, which you can find in the documentation for the relevant feature. For more information, see Understand Azure role definitions and Understand scope for Azure RBAC.

Desktop Virtualization Contributor

The Desktop Virtualization Contributor role allows managing all your Azure Virtual Desktop resources. You also need the User Access Administrator role to assign application groups to user accounts or user groups. This role doesn't grant users access to compute resources.

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Reader

The Desktop Virtualization Reader role allows viewing all your Azure Virtual Desktop resources, but doesn't allow changes.

ID: 49a72310-ab8d-41df-bbb0-79b649203868

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/*/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/read
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization User

The Desktop Virtualization User role allows users to use an application on a session host from an application group as a non-administrative user.

ID: 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63

Action type Permissions
actions None
notActions None
dataActions
  • Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
notDataActions None

Desktop Virtualization Host Pool Contributor

The Desktop Virtualization Host Pool Contributor role allows managing all aspects of a host pool. You also need the Virtual Machine Contributor role to create virtual machines and the Desktop Virtualization Application Group Contributor and Desktop Virtualization Workspace Contributor roles to deploy Azure Virtual Desktop using the portal, or you can use the Desktop Virtualization Contributor role.

ID: e307426c-f9b6-4e81-87de-d99efb3c32bc

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/hostpools/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Host Pool Reader

The Desktop Virtualization Host Pool Reader role allows viewing all aspects of a host pool, but doesn't allow changes.

ID: ceadfde2-b300-400a-ab7b-6143895aa822

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/hostpools/*/read
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/read
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Application Group Contributor

The Desktop Virtualization Application Group Contributor role allows managing all aspects of an application group. If you want to assign user accounts or user groups to application groups too, you also need the User Access Administrator role.

ID: 86240b0e-9422-4c43-887b-b61143f32ba8

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/applicationgroups/*
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Application Group Reader

The Desktop Virtualization Application Group Reader role allows viewing all aspects of an application group, but doesn't allow changes.

ID: aebf23d0-b568-4e86-b8f9-fe83a2c6ab55

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/applicationgroups/*/read
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/read
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Workspace Contributor

The Desktop Virtualization Workspace Contributor role allows managing all aspects of workspaces. To get information on applications added to a related application group, you also need the Desktop Virtualization Application Group Reader role.

ID: 21efdde3-836f-432b-bf3d-3e8e734d4b2b

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/workspaces/*
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Workspace Reader

The Desktop Virtualization Workspace Reader role allows users to viewing all aspects of a workspace, but doesn't allow changes.

ID: 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/workspaces/read
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/read
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization User Session Operator

The Desktop Virtualization User Session Operator role allows sending messages, disconnecting sessions, and using the logoff function to sign users out of a session host. However, this role doesn't allow host pool or session host management like removing a session host, changing drain mode, and so on. This role can see assignments, but can't modify members. We recommend you assign this role to specific host pools. If you assign this role at a resource group level, it provides read permission on all host pools under a resource group.

ID: ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Session Host Operator

The Desktop Virtualization Session Host Operator role allows viewing and removing session hosts, and changing drain mode. This role can't add session hosts using the Azure portal because it doesn't have write permission for host pool objects. For adding session hosts outside of the Azure portal, if the registration token is valid (generated and not expired), this role can add session hosts to the host pool if the Virtual Machine Contributor role is also assigned.

ID: 2ad6aaab-ead9-4eaa-8ac5-da422f562408

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*
notActions None
dataActions None
notDataActions None

Desktop Virtualization Power On Contributor

The Desktop Virtualization Power On Contributor role is used to allow the Azure Virtual Desktop Resource Provider to start virtual machines.

ID: 489581de-a3bd-480d-9518-53dea7416b33

Action type Permissions
actions
  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Resources/deployments/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.AzureStackHCI/virtualMachineInstances/read
  • Microsoft.AzureStackHCI/virtualMachineInstances/start/action
  • Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
  • Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
  • Microsoft.HybridCompute/machines/read
  • Microsoft.HybridCompute/operations/read
  • Microsoft.HybridCompute/locations/operationresults/read
  • Microsoft.HybridCompute/locations/operationstatus/read
notActions None
dataActions None
notDataActions None

Desktop Virtualization Power On Off Contributor

The Desktop Virtualization Power On Off Contributor role is used to allow the Azure Virtual Desktop Resource Provider to start and stop virtual machines.

ID: 40c5ff49-9181-41f8-ae61-143b0e78555e

Action type Permissions
actions
  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/instanceView/read
  • Microsoft.Compute/virtualMachines/deallocate/action
  • Microsoft.Compute/virtualMachines/restart/action
  • Microsoft.Compute/virtualMachines/powerOff/action
  • Microsoft.Insights/eventtypes/values/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Resources/deployments/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/write
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
  • Microsoft.AzureStackHCI/virtualMachineInstances/read
  • Microsoft.AzureStackHCI/virtualMachineInstances/start/action
  • Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
  • Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
  • Microsoft.HybridCompute/machines/read
  • Microsoft.HybridCompute/operations/read
  • Microsoft.HybridCompute/locations/operationresults/read
  • Microsoft.HybridCompute/locations/operationstatus/read
notActions None
dataActions None
notDataActions None

Desktop Virtualization Virtual Machine Contributor

The Desktop Virtualization Virtual Machine Contributor role is used to allow the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.

ID: a959dbd1-f747-45e3-8ba6-dd80f235f97c

Action type Permissions
actions
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/write
  • Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
  • Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read
  • Microsoft.Compute/availabilitySets/read
  • Microsoft.Compute/availabilitySets/write
  • Microsoft.Compute/availabilitySets/vmSizes/read
  • Microsoft.Compute/disks/read
  • Microsoft.Compute/disks/write
  • Microsoft.Compute/disks/delete
  • Microsoft.Compute/galleries/read
  • Microsoft.Compute/galleries/images/read
  • Microsoft.Compute/galleries/images/versions/read
  • Microsoft.Compute/images/read
  • Microsoft.Compute/locations/usages/read
  • Microsoft.Compute/locations/vmSizes/read
  • Microsoft.Compute/operations/read
  • Microsoft.Compute/skus/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Compute/virtualMachines/write
  • Microsoft.Compute/virtualMachines/delete
  • Microsoft.Compute/virtualMachines/start/action
  • Microsoft.Compute/virtualMachines/powerOff/action
  • Microsoft.Compute/virtualMachines/restart/action
  • Microsoft.Compute/virtualMachines/deallocate/action
  • Microsoft.Compute/virtualMachines/runCommand/action
  • Microsoft.Compute/virtualMachines/extensions/read
  • Microsoft.Compute/virtualMachines/extensions/write
  • Microsoft.Compute/virtualMachines/extensions/delete
  • Microsoft.Compute/virtualMachines/runCommands/read
  • Microsoft.Compute/virtualMachines/runCommands/write
  • Microsoft.Compute/virtualMachines/vmSizes/read
  • Microsoft.Network/networkSecurityGroups/read
  • Microsoft.Network/networkInterfaces/write
  • Microsoft.Network/networkInterfaces/read
  • Microsoft.Network/networkInterfaces/join/action
  • Microsoft.Network/networkInterfaces/delete
  • Microsoft.Network/virtualNetworks/subnets/read
  • Microsoft.Network/virtualNetworks/subnets/join/action
  • Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read
  • Microsoft.KeyVault/vaults/deploy/action
  • Microsoft.Storage/storageAccounts/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Resources/deployments/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
notActions None
dataActions None
notDataActions None