Manage roles, groups, and rights assignments on Azure Virtual Desktop session hosts

This management is vital for ensuring secure access and proper functionality of your virtual desktop environment, particularly with regards to the AZ-140 certification exam.

Understanding the Azure Active Directory (Azure AD) Structures

Azure Active Directory is the foundation of security and access management on Azure. Within Azure AD, there are three main elements: roles, groups, and rights.

• Roles: These are sets of permissions that dictate what a user or application can and cannot do within a specific scope in Azure. Examples of roles include Owner, Contributor, and Reader. There are many built-in roles in Azure, or you can define custom roles based on specific needs.
• Groups: These are collections of users. Assigning users to groups simplifies the assignment of roles and permissions, as you can make assignments at the group level rather than individually.
• Rights (Permissions): These are tied to roles, defining the individual actions that a role can take in Azure.

Manage Roles on Azure Virtual Desktop

You can manage roles in Azure through the Azure portal, Azure CLI, or via PowerShell. To assign roles, navigate to the resource to which you want to assign roles, select “Access control (IAM)”, then “Add a role assignment”. Choose the appropriate role and assign it to a user, group, or service principal.

In the context of Azure Virtual Desktop, here are few built-in roles that are commonly assigned to users:

• “Desktop Virtualization User”: This role is given to end-users who connect to their own personal or pooled session host VMs.
• “Desktop Virtualization Host Pool Contributor”: This role can manage host pools and app groups, but they cannot manage assigned users or create new ones.
• “Desktop Virtualization IT Admin”: This role can manage all objects and connections within a tenant.

Manage Groups on Azure Virtual Desktop

When it comes to managing groups in AVD, note that each host pool can host multiple app groups. App groups are used to publish apps or desktops to users or user groups. You can use Azure AD groups to manage user access to app groups and host pools.

To assign a user group to an application group, navigate to the desired application group, select “Assignments”, and then “Add”. Choose a user or user group from your Azure AD directory.

Rights Assignments on Azure Virtual Desktop

Rights are the granular permissions assigned to roles. In Azure, you assign rights indirectly through role assignments.

As previously mentioned, roles define sets of rights. For instance, the Owner role has rights like “Microsoft.Authorization/*/Write”, meaning they can write all authorization policies. Meanwhile, a Reader role might have rights like “Microsoft.Support/*/Read”, meaning they can read all support tickets.

Conclusion

Roles, groups, and rights are critical components in managing access to Azure Virtual Desktop session hosts. Understanding these components and how to manage them assists in creating an environment that is secure, organized, and efficient.

Remember that the goal is not just to pass the AZ-140 exam, but to acquire the knowledge and skills necessary to effectively operate AVD in a real-world environment. Make use of the documentation available on Microsoft’s official website for a comprehensive understanding of these concepts.

Practice Test

True/False: You can create and manage Active Directory groups for Azure Virtual Desktop session hosts.

• True
• False

Answer: True

Explanation: Active Directory groups can be created and managed on Azure Virtual Desktop. These groups provide centralized security and user management, enabling administrators to set permissions for all members.

True/False: In Azure Virtual Desktop, a single user can have multiple roles assigned to them.

• True
• False

Answer: True

Explanation: A single user can indeed have multiple roles assigned to them on Azure Virtual Desktop. Each role has different permissions, and one user can have multiple roles depending on what access level they require.

True/False: Azure Virtual Desktop only allows 10 people to be added to a group.

• True
• False

Answer: False

Explanation: There is no limit to the number of members you can add to a group in Azure. Groups can contain users, devices, other groups, and even service principals depending on your requirements.

In Azure Virtual Desktop, which of the following roles does not exist?

• A) Access package manager
• B) Catalog creator and manager
• C) Session host manager
• D) Network reader

Answer: D) Network reader

Explanation: Azure Virtual Desktop offers a variety of roles including the access package manager, catalog creator and manager, and session host manager. The network reader role does not exist in Azure Virtual Desktop.

What is the maximum number of roles that can be assigned to a single user on Azure Virtual Desktop?

• A) 10
• B) 20
• C) There is no limit
• D) 1

Answer: C) There is no limit

Explanation: Azure Virtual Desktop does not limit the number of roles that can be assigned to a single user. Users can be assigned multiple roles as per requirement.

True/False: You need to give the contributor role to a user to restart a virtual machine.

• True
• False

Answer: True

Explanation: The Contributor role has full access to manage all resources in Azure, including restarting a VM.

Which of the following is a built-in role in Azure Virtual Desktop?

• A) Owner
• B) Reader
• C) Writer
• D) Both A and B

Answer: D) Both A and B

Explanation: Both Owner and Reader are built-in roles available in Azure Virtual Desktop. An owner has full access to all resources, while a reader can view but not change resources.

True/False: In Azure Virtual Desktop, administrators can create custom roles.

• True
• False

Answer: True

Explanation: Azure Virtual Desktop provides the ability for administrators to create custom roles. This helps in providing more granular control over who can access what resources.

In Azure Virtual Desktop, what is the role of ‘Desktop Virtualization User Session Information Reader’?

• A) Restart a virtual machine
• B) List sessions and send messages
• C) Tailor the group assignment to workspaces
• D) Manage permissions

Answer: B) List sessions and send messages

Explanation: The ‘Desktop Virtualization User Session Information Reader’ role is typically assigned to service principals that need to list sessions and send messages in an Azure Virtual Desktop environment.

True/False: Azure Virtual Desktop supports nested groups from Active Directory.

• True
• False

Answer: True

Explanation: Yes, Azure Virtual Desktop supports nested groups, meaning groups that contain other groups. This can be leveraged for seamless user and permission management.

True/False: In Azure Virtual Desktop, you cannot limit access to certain resources based on user roles.

• True
• False

Answer: False

Explanation: User roles in Azure Virtual Desktop can be used to dictate what resources a user can access. This aids in ensuring that users only have access to necessary resources, enhancing security.

What is the purpose of ‘Desktop Virtualization Host Pool Contributor’ role in Azure Virtual Desktop?

• A) Create and manage host pools
• B) List sessions and send messages
• C) Manage permissions
• D) Restart a virtual machine

Answer: A) Create and manage host pools

Explanation: The ‘Desktop Virtualization Host Pool Contributor’ role can create, read, update, and delete host pools and associated entities. They can’t however, manage assignments to application groups.

Interview Questions

What is the primary purpose of using roles in Azure Virtual Desktop session hosts?

Roles are used to control who has access to what resources. They ensure certain individuals or groups only have the permissions they need to perform their tasks, limiting potential exposure of sensitive resources.

How can you assign roles in Azure?

You can assign roles at different scopes via Azure portal, Azure CLI, Azure PowerShell, or REST APIs. For example, you could assign a role at the subscription, resource group, or individual resource level.

What is the use of group assignments in Azure Virtual Desktop?

Group assignments are useful for granting access and assigning roles to multiple users at once. Instead of individually assigning roles to each user, a single role can be assigned to a group.

Can you change the rights on an existing role in Azure Virtual Desktop?

No, you cannot modify the permissions in a built-in role. However, you can create a custom role with the specific permissions you require and assign that to your user or group.

Where can you manage groups in Azure Virtual Desktop?

You can manage groups in Azure Active Directory. From the Azure portal, you can create, manage, and delete security and organizational groups, and assign users or resources to these groups.

Can one user be a part of multiple groups in Azure Virtual Desktop?

Yes, a user can be part of multiple groups and have multiple roles.

How does role-based access control (RBAC) function in Azure Virtual Desktop?

RBAC is the system that manages who has access to Azure resources, what they can do with those resources, and what areas they have access to. RBAC is an authorization system baked into Azure.

Can you designate a built-in role as a Custom role?

No, you can’t convert existing built-in roles to custom roles. However, you can create new custom roles based on the permissions set in a built-in role.

How are resources managed in Azure Virtual Desktop?

Resources in Azure Virtual Desktop are managed through Azure Resource Manager, which allows you to organize resources and apply consents in a consistent manner.

What is the principle of least privilege and how does it apply in Azure Virtual Desktop?

The principle of least privilege suggests that users and accounts should have the minimal levels of access – or permissions – necessary to complete their job functions. In Azure Virtual Desktop, this principle is manifest in the assignment of roles and rights to users and groups – providing only necessary access to resources needed for their tasks.

How do Azure policies contribute to rights assignments?

Azure policies help you enforce organizational standards and to assess compliance at scale. With Azure policies, you can ensure that the necessary rights assignments are in place and that non compliant assignments are identified.

Is there a limit on the number of role assignments that can be created in an Azure subscription?

Yes, Azure enforces a limit of 2000 role assignments per Azure subscription. This includes roles assigned at the management group, subscription, resource group, and resource scopes.

What is the Azure Active Directory?

Azure Active Directory is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources in Azure.

What is the Azure Built-in roles for Azure resources?

Built-in roles for Azure resources are system roles that provide specific permissions for resources. They are typically designed around common use-cases, and you cannot alter their permissions.

Can you remove permission from a built-in role?

No, you can’t remove permissions from a built-in role. However, you can create a custom role without this permission and assign the user or group to this new custom role.