WVD in high-security environments

Occasional Contributor

Is there a list of definitive permissions published somewhere (Fall and Spring releases) detailing exactly what permissions are required for WVD, both from a provisioning- and operational point-of-view? I have a large high-security client where functions are separated, in other words, security is handled by a completely different team, projects by an unrelated project team who hands over to the operational teams.

 

In a previous deployment, using the Fall 2019 version, I was able to determine the following:

 

  • Security team to create RDS tenant as this will not be delegated,
  • RDS Contributor assigned to project team (which was the lowest supported permissions),
  • Microsoft.Network/virtualNetworks/WRITE permissions to join virtual machines to network (I think this related to an issue in the ARM template but is problematic),
  • Active Directory create computer object (or rather domain join) permissions,
  • Owner permission required to write captured images to the Shared Gallery.

My deployment stopped at the last point as the security team asked for a full list of all the permissions required as they are not able to entertain back-and-forth requests.

 

Thanks

0 Replies