Delegated Access overview:
A useful component that comes with Windows Virtual Desktop is the WVD delegated access model. This function lets you define and control access at various levels of the WVD Structure. The role assignment has three key components, which include: Security principal, Role definition and Scope. One point to note is that WVD delegated access is based on Azure’s RBAC model. Delegated access could prove to be extremely useful for multi tiered IT support teams allowing you to manage and control access to WVD at different levels.
Understanding Role Assignment:
As you can see in the image below, the delegated access model has been broken down in to three components. The Security Principle is for users and service principles. The Role Definition is for built-in roles “RDSRoleAssignment” and Scope is the section of WVD were you would want to assign delegated permissions. A quick Role Assignment Example: I need to assign Bob@rmitblog.cloud as “RDS Owner” to the tenant group. Add the “-tenantname” for the tenant.
New-RdsRoleAssignment -TenantGroupName yourtenantgroup -TenantName Example -RoleDefinitionName “RDS Owner” -SignInName Bob@rmitblog.cloud -AadTenantId “xxxx-xxxx-xxxx-xxxx-xxxx”
An Example of assigning delegated access in an organisation:
In this example i have assigned delegated access to the following scope: Tenant groups, Tenants and Host Pools. The diagram below shows a Global Admin who has full control at the tenant group level, a tenant admin who has been assigned full control at a single tenant level (one specific tenant), one IT support user assigned with read only access at the tenant level and finally the same IT support admin assigned RDS contributor access at the HostPool Level.
What this means is the Global admin has full control of all tenants including security. The Tenant admin has full control of a single tenant for security on that tenant and the IT admin can only view the assigned tenant and has access at the host level but no access to resources.
Built in Roles:
The following roles are included in WVD’s Delegated access model.
- An RDS Owner can manage everything, including access to resources.
- An RDS Contributor can manage everything but access to resources.
- An RDS Reader can view everything but can’t make any changes.
- An RDS Operator can view diagnostic activities.
Example Delegated Access configuration:
#Global Admin access to tenant group New-RdsRoleAssignment -TenantGroupName yourtenantgroup -RoleDefinitionName "RDS OWner" -SignInName GlobalAdmin@rmitblog.cloud #Localised tenant admin | access to a specific tenant only New-RdsRoleAssignment -TenantGroupName yourtenantgroup -TenantName RDSTEST01 -RoleDefinitionName "RDS Owner" -SignInName Tenantadmin@rmitblog.cloud #read only tenant access for 1st line engineer new-RdsRoleAssignment -TenantName RDSTEST01 -RoleDefinitionName "RD Reader" -SignInName firstname.lastname@example.org #Contributor access to hostpool level new-RdsRoleAssignment -TenantName RDSTEST01 -HostPoolName RMITBLOGDESKTOPS -RoleDefinitionName "RDS Contributor" -SignInName email@example.com
Reviewing Role Assignment :
You can review role assignments using the get-RdsRoleassignment cmdlets:
RoleAssignmentId : 00000000-0000-0000-0000-00000000000 Scope : /Default Tenant Group/RDSTEST01/RMITBLOGDESKTOP TenantGroupName : yourtenantgroup TenantName : RDSTEST01 HostPoolName : RMITBLOGDESKTOPS DisplayName : Test Account SignInName : firstname.lastname@example.org GroupObjectId : 00000000-0000-0000-0000-00000000000 AADTenantId : 00000000-0000-0000-0000-00000000000 AppId : RoleDefinitionName : RDS Contributor RoleDefinitionId : 00000-0000-0000-0000-000000000000 ObjectId : 0000-0000-0000-0000-000000000000 ObjectType : User Item :
As you can see from the PowerShell output above, the 1st line admin has been assigned the RD Contributor permissions at the host-pool level, allowing the 1st line admin to manage everything excluding security access to resources.
PowerShell cmdlets for role assignments for WVD:
- Get-RdsRoleAssignment displays a list of role assignments.
- New-RdsRoleAssignment creates a new role assignment.
- Remove-RdsRoleAssignment deletes role assignments.
For smaller deployments, you may only need configure the “RDS Owner” role removing the requirement for implementing a delegated access structure on WVD, however for larger deployments with multiple IT teams involved, this is very useful managing IT Admin on WVD tenants.
Any questions, please feel free to comment.