RBAC design for Azure virtual desktop personal session hosts Win11 EntraID joined

Brass Contributor


We are setting up windows11 EntraID joined personal sessionhosts in Azure virtual desktop, in microsoft docs it's recommended to assign 'Virtual Machine user login ' role to user group on resource group level https://learn.microsoft.com/en-us/azure/virtual-desktop/azure-ad-joined-session-hosts?source=recomme... 


even if user assigned to individual session host, user can see all the vm's from azure portal and able to login to any machine as the 'vm user login' role is assigned to resource group level.

We can assign this role to individual VM as well, but it's a manual work everytime after spinning up a machine assign the user to that specific resource.


Similar recommendation was given for 'vm administrator login ' role, if you assign this role to resource group level, user can login to any machine that is visible from azure portal with admin login.


User usually wouldn't login to Azure portal, but still isn't it a security risk giving access to user to all resources, and I think the recommendation of giving access to resource groups level isn't convincing to me,


Does any one setup personal win11 entraID joined managed through intune and having recommendations around the RBAC design?



Naveen. S

0 Replies