Merge pull request #192455 from dknappettmsft/avd-rbac-desktop-virtualization-user

tamarakhader · web-flow · commit f4b0879ac533 · 2022-03-23T13:21:51.000+03:00
AVD updated RBAC roles and TOC
diff --git a/articles/virtual-desktop/TOC.yml b/articles/virtual-desktop/TOC.yml
@@ -61,8 +61,14 @@
         href: connection-latency.md
   - name: Virtual machine sizing guidance
     href: /windows-server/remote/remote-desktop-services/virtual-machine-recs?context=/azure/virtual-desktop/context/context
-  - name: Delegated access in Azure Virtual Desktop
-    href: delegated-access-virtual-desktop.md
+  - name: Identity and access management
+    items:
+    - name: Identities and authentication
+      href: authentication.md
+    - name: Azure RBAC roles
+      href: rbac.md
+    - name: Delegated access
+      href: delegated-access-virtual-desktop.md
   - name: Host pool load-balancing methods
     href: host-pool-load-balancing.md
   - name: FSLogix profile containers and Azure files
diff --git a/articles/virtual-desktop/authentication.md b/articles/virtual-desktop/authentication.md
@@ -1,18 +1,17 @@
 ---
-title: Azure Virtual Desktop authentication - Azure
-description: Authentication methods for Azure Virtual Desktop.
+title: Azure Virtual Desktop identities and authentication - Azure
+description: Identities and authentication methods for Azure Virtual Desktop.
 services: virtual-desktop
 author: Heidilohr
-
 ms.service: virtual-desktop
 ms.topic: conceptual
 ms.date: 12/07/2021
 ms.author: helohr
 manager: femila
 ---
-# Supported authentication methods
+# Supported identities and authentication methods
 
-In this article, we'll give you a brief overview of what kinds of authentication you can use in Azure Virtual Desktop.
+In this article, we'll give you a brief overview of what kinds of identities and authentication methods you can use in Azure Virtual Desktop.
 
 ## Identities
 
diff --git a/articles/virtual-desktop/rbac.md b/articles/virtual-desktop/rbac.md
@@ -1,154 +1,141 @@
 ---
-title: Built-in roles Azure Virtual Desktop - Azure
-description: An overview of built-in roles for Azure Virtual Desktop available for Azure RBAC.
+title: Built-in Azure RBAC roles Azure Virtual Desktop
+description: An overview of built-in Azure RBAC roles for Azure Virtual Desktop available.
 services: virtual-desktop
 author: Heidilohr
-
 ms.service: virtual-desktop
 ms.topic: conceptual
-ms.date: 12/15/2020
+ms.date: 03/22/2022
 ms.author: helohr
 manager: femila
 ---
-# Built-in roles for Azure Virtual Desktop
+# Built-in Azure RBAC roles for Azure Virtual Desktop
 
-Azure Virtual Desktop uses Azure role-based access controls (RBAC) to assign roles to users and admins. These roles give admins permission to carry out certain tasks. To learn more about built-in roles for Azure RBAC, see [Azure built-in roles](../role-based-access-control/built-in-roles.md).
+Azure Virtual Desktop uses Azure role-based access control (RBAC) to control access to resources. There are a number of built-in roles for use with Azure Virtual Desktop  which is a collection of permissions. You assign roles to users and admins and these roles give permission to carry out certain tasks. To learn more about Azure RBAC, see [What is Azure RBAC?](../role-based-access-control/overview.md).
 
-The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Azure Virtual Desktop has additional roles that let you separate management roles for host pools, app groups, and workspaces. This separation lets you have more granular control over administrative tasks. These roles are named in compliance with Azure's standard roles and least-privilege methodology.
+The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Azure Virtual Desktop has additional roles that let you separate management roles for host pools, application groups, and workspaces. This separation lets you have more granular control over administrative tasks. These roles are named in compliance with Azure's standard roles and least-privilege methodology.
 
-Azure Virtual Desktop doesn't have a specific Owner role. However, you can use a standard Owner role for the service objects.
+Azure Virtual Desktop doesn't have a specific Owner role. However, you can use the general Owner role for the service objects.
 
-## Desktop Virtualization Contributor
+The built-in roles for Azure Virtual Desktop and the permissions for each one are detailed below. The assignable scope for all built-in roles are set to the root scope ("/"). The root scope indicates that the role is available for assignment in all scopes, for example management groups, subscriptions, or resource groups. For more information, see [Understand Azure role definitions](../role-based-access-control/role-definitions.md).
 
-The Desktop Virtualization Contributor role lets you manage all aspects of the deployment. However, it doesn't grant you access to compute resources. You'll also need the User Access Administrator role to publish app groups to users or user groups.
+## Desktop Virtualization Contributor
 
+The Desktop Virtualization Contributor role allows users to manage all aspects of the deployment. However, it doesn't grant users access to compute resources. You'll also need the *User Access Administrator* role to publish application groups to users or user groups.
 
-- Microsoft.DesktopVirtualization/\* 
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/\*
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/\*</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Reader
 
-The Desktop Virtualization Reader role lets you view everything in the deployment but doesn't let you make any changes.
+The Desktop Virtualization Reader role allows users to view everything in the deployment, but doesn't let them make any changes.
 
-- Microsoft.DesktopVirtualization/\*/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/\*/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/read</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/read</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
-## Desktop Virtualization Host Pool Contributor
+## Desktop Virtualization User
 
-The Host Pool Contributor role lets you manage all aspects of host pools, including access to resources. You'll need an extra contributor role, Virtual Machine Contributor, to create virtual machines. You will need AppGroup and Workspace contributor roles to create host pool using the portal or you can use Desktop Virtualization Contributor role.
+The Desktop Virtualization User role allows users to use the applications in an application group.
+
+| Action type | Permissions |
+|--|--|
+| actions | None |
+| notActions | None |
+| dataActions | <ul><li>Microsoft.DesktopVirtualization/applicationGroups/useApplications/action</li></ul> |
+| notDataActions | None |
+
+## Desktop Virtualization Host Pool Contributor
 
-The following list describes which permissions this role can access:
+The Desktop Virtualization Host Pool Contributor role allows users to manage all aspects of host pools, including access to resources. You'll also need the *Virtual Machine Contributor* role to create virtual machines. You will need *Desktop Virtualization Application Group Contributor* and *Desktop Virtualization Workspace Contributor* roles to create host pools using the portal, or you can use the *Desktop Virtualization Contributor* role.
 
-- Microsoft.DesktopVirtualization/hostpools/\*
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/\*
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/hostpools/\*</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Host Pool Reader
 
-The Host Pool Reader role lets you view everything in the host pool, but won't allow you to make any changes.
+The Desktop Virtualization Host Pool Reader role allows users to view everything in the host pool, but won't allow them to make any changes.
 
-- Microsoft.DesktopVirtualization/hostpools/\*/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/hostpools/\*/read</li><li>Microsoft.DesktopVirtualization/hostpools/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/read</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/read</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Application Group Contributor
 
-The Application Group Contributor role lets you manage all aspects of app groups. If you want to publish app groups to users or user groups, you'll need the User Access Administrator role.
+The Desktop Virtualization Application Group Contributor role allows users to manage all aspects of application groups. If you want users to publish application groups to users or user groups, they'll also need the *User Access Administrator* role.
 
-The following list describes which permissions this role can access:
-
-- Microsoft.DesktopVirtualization/applicationgroups/\*
-- Microsoft.DesktopVirtualization/hostpools/read
-- Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/\*
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/applicationgroups/\*</li><li>Microsoft.DesktopVirtualization/hostpools/read</li><li>Microsoft.DesktopVirtualization/hostpools/sessionhosts/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</ul></li> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Application Group Reader
 
-The Application Group Reader role lets you view everything in the app group and will not allow you to make any changes.
-
-The following list describes which permissions this role can access:
+The Desktop Virtualization Application Group Reader role allows users to view everything in the application group and will not allow them to make any changes.
 
-- Microsoft.DesktopVirtualization/applicationgroups/\*/read
-- Microsoft.DesktopVirtualization/applicationgroups/read
-- Microsoft.DesktopVirtualization/hostpools/read
-- Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/applicationgroups/\*/read</li><li>Microsoft.DesktopVirtualization/applicationgroups/read</li><li>Microsoft.DesktopVirtualization/hostpools/read</li><li>Microsoft.DesktopVirtualization/hostpools/sessionhosts/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/read</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/read</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Workspace Contributor
 
-The Workspace Contributor role lets you manage all aspects of workspaces. To get information on applications added to the app groups, you'll also need to be assigned the Application Group Reader role.
-
-The following list describes which permissions this role can access:
+The Desktop Virtualization Workspace Contributor role allows users to manage all aspects of workspaces. To get information on applications added to the application groups, they'll also need the *Application Group Reader* role.
 
-- Microsoft.DesktopVirtualization/workspaces/\*
-- Microsoft.DesktopVirtualization/applicationgroups/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/\*
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/workspaces/\*</li><li>Microsoft.DesktopVirtualization/applicationgroups/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Workspace Reader
 
-The Workspace Reader role lets you view everything in the workspace, but won't allow you to make any changes.
+The Desktop Virtualization Workspace Reader role allows users to view everything in the workspace, but won't allow them to make any changes.
 
-The following list describes which permissions this role can access:
-
-- Microsoft.DesktopVirtualization/workspaces/read
-- Microsoft.DesktopVirtualization/applicationgroups/read
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/workspaces/read</li><li>Microsoft.DesktopVirtualization/applicationgroups/read</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/read</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/read</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization User Session Operator
 
-The User Session Operator role lets you send messages, disconnect sessions, and use the "logoff" function to sign sessions out of the session host. However, this role doesn't let you perform session host management like removing session host, changing drain mode, and so on. This role can see assignments, but can't modify admins. We recommend you assign this role to specific host pools. If you give this permission at a resource group level, the admin will have read permission on all host pools under a resource group.
-
-The following list describes which permissions this role can access:
+The Desktop Virtualization User Session Operator role allows users to send messages, disconnect sessions, and use the "logoff" function to sign sessions out of the session host. However, this role doesn't let users perform session host management like removing session host, changing drain mode, and so on. This role can see assignments, but can't modify admins. We recommend you assign this role to specific host pools. If you give this permission at a resource group level, the admin will have read permission on all host pools under a resource group.
 
-- Microsoft.DesktopVirtualization/hostpools/read
-- Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
-- Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/\*
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/hostpools/read</li><li>Microsoft.DesktopVirtualization/hostpools/sessionhosts/read</li><li>Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/\*</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
 
 ## Desktop Virtualization Session Host Operator
 
-The Session Host Operator role lets you view and remove session hosts, as well as change drain mode. They can't add session hosts using the Azure portal because they don't have write permission for host pool objects. If the registration token is valid (generated and not expired), you can use this role to add session hosts to the host pool outside of Azure portal if the admin has compute permissions  through the Virtual Machine Contributor role.
-
-The following list describes which permissions this role can access:
+The Desktop Virtualization Session Host Operator role allows users to view and remove session hosts, as well as change drain mode. Users can't add session hosts using the Azure portal because they don't have write permission for host pool objects. If the registration token is valid (generated and not expired), users assigned this role can add session hosts to the host pool outside of the Azure portal if they also have the *Virtual Machine Contributor* role.
 
-- Microsoft.DesktopVirtualization/hostpools/read
-- Microsoft.DesktopVirtualization/hostpools/sessionhosts/\*
-- Microsoft.Resources/subscriptions/resourceGroups/read
-- Microsoft.Resources/deployments/read
-- Microsoft.Authorization/\*/read
-- Microsoft.Insights/alertRules/\*
-- Microsoft.Support/\*
+| Action type | Permissions |
+|--|--|
+| actions | <ul><li>Microsoft.DesktopVirtualization/hostpools/read</li><li>Microsoft.DesktopVirtualization/hostpools/sessionhosts/\*</li><li>Microsoft.Resources/subscriptions/resourceGroups/read</li><li>Microsoft.Resources/deployments/\*</li><li>Microsoft.Authorization/\*/read</li><li>Microsoft.Insights/alertRules/\*</li><li>Microsoft.Support/\*</li></ul> |
+| notActions | None |
+| dataActions | None |
+| notDataActions | None |
