Delegated Access – Windows Virtual Desktop

Delegated Access overview:

A useful component that comes with Windows Virtual Desktop is the WVD delegated access model. This function lets you define and control access at various levels of the WVD Structure. The role assignment has three key components, which include: Security principal, Role definition and Scope. One point to note is that WVD delegated access is based on Azure’s RBAC model. Delegated access could prove to be extremely useful for multi tiered IT support teams allowing you to manage and control access to WVD at different levels.

Understanding Role Assignment:

As you can see in the image below, the delegated access model has been broken down in to three components. The Security Principle is for users and service principles. The Role Definition is for built-in roles “RDSRoleAssignment” and Scope is the section of WVD were you would want to assign delegated permissions. A quick Role Assignment Example: I need to assign as “RDS Owner” to the tenant group. Add the “-tenantname” for the tenant.

New-RdsRoleAssignment -TenantGroupName yourtenantgroup -TenantName Example -RoleDefinitionName “RDS Owner” -SignInName -AadTenantId “xxxx-xxxx-xxxx-xxxx-xxxx”

An Example of assigning delegated access in an organisation:

In this example i have assigned delegated access to the following scope: Tenant groups, Tenants and Host Pools. The diagram below shows a Global Admin who has full control at the tenant group level, a tenant admin who has been assigned full control at a single tenant level (one specific tenant), one IT support user assigned with read only access at the tenant level and finally the same IT support admin assigned RDS contributor access at the HostPool Level.

What this means is the Global admin has full control of all tenants including security. The Tenant admin has full control of a single tenant for security on that tenant and the IT admin can only view the assigned tenant and has access at the host level but no access to resources.

Built in Roles:

The following roles are included in WVD’s Delegated access model.

  • An RDS Owner can manage everything, including access to resources.
  • An RDS Contributor can manage everything but access to resources.
  • An RDS Reader can view everything but can’t make any changes.
  • An RDS Operator can view diagnostic activities.

Example Delegated Access configuration:

#Global Admin access to tenant group
New-RdsRoleAssignment -TenantGroupName yourtenantgroup -RoleDefinitionName "RDS OWner" -SignInName

#Localised tenant admin | access to a specific tenant only
New-RdsRoleAssignment -TenantGroupName yourtenantgroup -TenantName RDSTEST01 -RoleDefinitionName "RDS Owner" -SignInName

#read only tenant access for 1st line engineer
new-RdsRoleAssignment -TenantName RDSTEST01 -RoleDefinitionName "RD Reader" -SignInName

#Contributor access to hostpool level
new-RdsRoleAssignment -TenantName RDSTEST01 -HostPoolName RMITBLOGDESKTOPS -RoleDefinitionName "RDS Contributor" -SignInName

Reviewing Role Assignment :

You can review role assignments using the get-RdsRoleassignment cmdlets:

RoleAssignmentId   : 00000000-0000-0000-0000-00000000000
 Scope              : /Default Tenant Group/RDSTEST01/RMITBLOGDESKTOP
 TenantGroupName    : yourtenantgroup
 TenantName         : RDSTEST01
 HostPoolName       : RMITBLOGDESKTOPS
 DisplayName        : Test Account
 SignInName         :
 GroupObjectId      : 00000000-0000-0000-0000-00000000000
 AADTenantId        : 00000000-0000-0000-0000-00000000000
 AppId              :
 RoleDefinitionName : RDS Contributor
 RoleDefinitionId   : 00000-0000-0000-0000-000000000000
 ObjectId           : 0000-0000-0000-0000-000000000000
 ObjectType         : User
 Item               :

As you can see from the PowerShell output above, the 1st line admin has been assigned the RD Contributor permissions at the host-pool level, allowing the 1st line admin to manage everything excluding security access to resources.

PowerShell cmdlets for role assignments for WVD:

  • Get-RdsRoleAssignment displays a list of role assignments.
  • New-RdsRoleAssignment creates a new role assignment.
  • Remove-RdsRoleAssignment deletes role assignments.


For smaller deployments, you may only need configure the “RDS Owner” role removing the requirement for implementing a delegated access structure on WVD, however for larger deployments with multiple IT teams involved, this is very useful managing IT Admin on WVD tenants.

Useful Links:

Any questions, please feel free to comment.

3 thoughts on “Delegated Access – Windows Virtual Desktop

Add yours

  1. Hi.
    Thank you for the commands. But I there is an error in your example.

    #Global Admin access to tenant group
    New-RdsRoleAssignment -TenantGroupName yourtenantgroup -RoleDefinitionName “RDS Owner” -SignInName

    It must be only TenantName, or you will get an error.


    1. Hi, I have checked this.

      The only thing missing is the -AadTenantId “xxxx-xxxx-xxxx-xxxx-xxxx” I have not needed this when adding users to the tenancy group.

      tenant is for a specific tenant this cmdlet is for the tenant group.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

Up ↑

%d bloggers like this: