even if user assigned to individual session host, user can see all the vm's from azure portal and able to login to any machine as the 'vm user login' role is assigned to resource group level.
We can assign this role to individual VM as well, but it's a manual work everytime after spinning up a machine assign the user to that specific resource.
Similar recommendation was given for 'vm administrator login ' role, if you assign this role to resource group level, user can login to any machine that is visible from azure portal with admin login.
User usually wouldn't login to Azure portal, but still isn't it a security risk giving access to user to all resources, and I think the recommendation of giving access to resource groups level isn't convincing to me,
Does any one setup personal win11 entraID joined managed through intune and having recommendations around the RBAC design?