I am attempting to delegate permission to a couple members of our IT support team who I want to give specific permissions to in order to admin our Windows Virtual Desktop environment. I want them to be able to do the basics such as adding to app groups etc.

I have done the following:

- They are contributors of the resource groups where the WVD resources live

- Granted them TenantCreator within the Windows Virtual Desktop Enterprise Application

Do I need to provider permissions elsewhere?

When a member of this team tries to add users to an existing application group for a desktop, they receive the following error:

{"details":[{"code":"InvalidTemplateDeployment","message":"{\"content\":{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client 'user@domain.com' with object id '<object-string>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<sub-string>/resourceGroups/WVD-PROD/providers/Microsoft.DesktopVirtualization/applicationgroups/WVD-DESKTOPS-DAG/providers/Microsoft.Authorization/roleAssignments/<string>' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}},\"headers\":{\"cache-control\":\"no-cache\",\"content-length\":\"594\",\"content-type\":\"application/json; charset=utf-8\",\"expires\":\"-1\",\"pragma\":\"no-cache\",\"x-ms-correlation-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-failure-cause\":\"gateway\",\"x-ms-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-routing-request-id\":\"EASTUS:20200623T182111Z:e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\"},\"httpStatusCode\":403}","target":"<string>"}]}