May 18 2020 09:51 AM - edited May 18 2020 10:22 AM
When creating a custom role using Microsoft.DesktopVirtualization (with all permissions options selected) not all AzWVD CMDlets can be executed, when this role is assigned to a service principal. All CMDlets can be run without error when the service principal is contributor on the Azure sub. Errors when using the custom role are displayed below:
Disconnect-AzWvdUserSession Error
Disconnect-AzWvdUserSession : The client 'CLIENTIDPLACEHOLDER' with object id 'CLIENTIDPLACEHOLDER' does not have authorization to
perform action 'Microsoft.DesktopVirtualization/hostPools/sessionHosts/userSessions/SUBIDPLACEHOLDER/WVD-Backend/Microsoft.DesktopVirtualization/WVD-
Pool2/WVD-SH000000.ingram.micro/2/action' over scope '/subscriptions/SUBIDPLACEHOLDER/resourceGroups/WVD-Backend/providers/Microsoft.DesktopVirtualiz
ation/hostPools/WVD-Pool2/sessionHosts/WVD-SH000000.ingram.micro/userSessions/subscriptions/SUBIDPLACEHOLDER/resourcegroups/WVD-Backend/providers/Mic
rosoft.DesktopVirtualization/hostpools/WVD-Pool2/sessionhosts/WVD-SH000000.ingram.micro/usersessions/2/disconnect' or the scope is invalid. If access was recently
granted, please refresh your credentials.
Send-AzWvdUserSessionMessage error
Send-AzWvdUserSessionMessage : The client 'CLIENTIDPLACEHOLDER' with object id 'CLIENTIDPLACEHOLDER' does not have authorization to
perform action 'Microsoft.DesktopVirtualization/hostPools/sessionHosts/userSessions/sendMessage/action' over scope '/subscriptions/SUBIDPLACEHOLDER/r
esourceGroups/WVD-Backend/providers/Microsoft.DesktopVirtualization/hostPools/WVD-Pool2/sessionHosts/WVD-SH000001.ingram.micro/userSessions/2' or the scope is invalid.
If access was recently granted, please refresh your credentials.
Both actions are not referenced in the custom role when looking at the JSON display, indicating they still need to be added before the Microsoft.DesktopVirtualization can be used for all CMDlets.
Jun 02 2020 03:45 PM
@MaranVerweij What is the custom role permissions?
Jun 04 2020 10:36 AM
SolutionIt was the complete list of all permissions in Microsoft.DesktopVirtualization. The issue was fixed by replacing the 3 lines below:
by:
Jun 04 2020 10:36 AM
SolutionIt was the complete list of all permissions in Microsoft.DesktopVirtualization. The issue was fixed by replacing the 3 lines below:
by: