(Solved) Azure Permissions for WVD Admin [Spring Release]

Brass Contributor

I am attempting to delegate permission to a couple members of our IT support team who I want to give specific permissions to in order to admin our Windows Virtual Desktop environment. I want them to be able to do the basics such as adding to app groups etc.


I have done the following:

- They are contributors of the resource groups where the WVD resources live

- Granted them TenantCreator within the Windows Virtual Desktop Enterprise Application


Do I need to provider permissions elsewhere?


When a member of this team tries to add users to an existing application group for a desktop, they receive the following error:


{"details":[{"code":"InvalidTemplateDeployment","message":"{\"content\":{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client '' with object id '<object-string>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<sub-string>/resourceGroups/WVD-PROD/providers/Microsoft.DesktopVirtualization/applicationgroups/WVD-DESKTOPS-DAG/providers/Microsoft.Authorization/roleAssignments/<string>' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}},\"headers\":{\"cache-control\":\"no-cache\",\"content-length\":\"594\",\"content-type\":\"application/json; charset=utf-8\",\"expires\":\"-1\",\"pragma\":\"no-cache\",\"x-ms-correlation-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-failure-cause\":\"gateway\",\"x-ms-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-routing-request-id\":\"EASTUS:20200623T182111Z:e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\"},\"httpStatusCode\":403}","target":"<string>"}]}

2 Replies
best response confirmed by CMurphyUSA (Brass Contributor)

@CMurphyUSA You can add the User Access Administrator role or create a custom role for more granular security.



This was the solution, thank you!