SOLVED

Custom role - Microsoft.DesktopVirtualization permissions not complete

%3CLINGO-SUB%20id%3D%22lingo-sub-1399879%22%20slang%3D%22en-US%22%3ECustom%20role%20-%20Microsoft.DesktopVirtualization%20permissions%20not%20complete%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1399879%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20creating%20a%20custom%20role%20using%26nbsp%3BMicrosoft.DesktopVirtualization%20(with%20all%20permissions%20options%20selected)%20not%20all%20AzWVD%20CMDlets%20can%20be%20executed%2C%20when%20this%20role%20is%20assigned%20to%20a%20service%20principal.%20All%20CMDlets%20can%20be%20run%20without%20error%20when%20the%20service%20principal%20is%20contributor%20on%20the%20Azure%20sub.%20Errors%20when%20using%20the%20custom%20role%20are%20displayed%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EDisconnect-AzWvdUserSession%20Error%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EDisconnect-AzWvdUserSession%20%3A%20The%20client%20'CLIENTIDPLACEHOLDER'%20with%20object%20id%20'CLIENTIDPLACEHOLDER'%20does%20not%20have%20authorization%20to%3CBR%20%2F%3Eperform%20action%20'Microsoft.DesktopVirtualization%2FhostPools%2FsessionHosts%2FuserSessions%2FSUBIDPLACEHOLDER%2FWVD-Backend%2FMicrosoft.DesktopVirtualization%2FWVD-%3CBR%20%2F%3EPool2%2FWVD-SH000000.ingram.micro%2F2%2Faction'%20over%20scope%20'%2Fsubscriptions%2FSUBIDPLACEHOLDER%2FresourceGroups%2FWVD-Backend%2Fproviders%2FMicrosoft.DesktopVirtualiz%3CBR%20%2F%3Eation%2FhostPools%2FWVD-Pool2%2FsessionHosts%2FWVD-SH000000.ingram.micro%2FuserSessions%2Fsubscriptions%2FSUBIDPLACEHOLDER%2Fresourcegroups%2FWVD-Backend%2Fproviders%2FMic%3CBR%20%2F%3Erosoft.DesktopVirtualization%2Fhostpools%2FWVD-Pool2%2Fsessionhosts%2FWVD-SH000000.ingram.micro%2Fusersessions%2F2%2Fdisconnect'%20or%20the%20scope%20is%20invalid.%20If%20access%20was%20recently%3CBR%20%2F%3Egranted%2C%20please%20refresh%20your%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ESend-AzWvdUserSessionMessage%20error%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3ESend-AzWvdUserSessionMessage%20%3A%20The%20client%20'CLIENTIDPLACEHOLDER'%20with%20object%20id%20'CLIENTIDPLACEHOLDER'%20does%20not%20have%20authorization%20to%3CBR%20%2F%3Eperform%20action%20'Microsoft.DesktopVirtualization%2FhostPools%2FsessionHosts%2FuserSessions%2FsendMessage%2Faction'%20over%20scope%20'%2Fsubscriptions%2FSUBIDPLACEHOLDER%2Fr%3CBR%20%2F%3EesourceGroups%2FWVD-Backend%2Fproviders%2FMicrosoft.DesktopVirtualization%2FhostPools%2FWVD-Pool2%2FsessionHosts%2FWVD-SH000001.ingram.micro%2FuserSessions%2F2'%20or%20the%20scope%20is%20invalid.%3CBR%20%2F%3EIf%20access%20was%20recently%20granted%2C%20please%20refresh%20your%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBoth%20actions%20are%20not%20referenced%20in%20the%20custom%20role%20when%20looking%20at%20the%20JSON%20display%2C%20indicating%20they%20still%20need%20to%20be%20added%20before%20the%26nbsp%3BMicrosoft.DesktopVirtualization%20can%20be%20used%20for%20all%20CMDlets.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1434837%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20role%20-%20Microsoft.DesktopVirtualization%20permissions%20not%20complete%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1434837%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F662928%22%20target%3D%22_blank%22%3E%40MaranVerweij%3C%2FA%3E%26nbsp%3BWhat%20is%20the%20custom%20role%20permissions%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1441059%22%20slang%3D%22en-US%22%3ERe%3A%20Custom%20role%20-%20Microsoft.DesktopVirtualization%20permissions%20not%20complete%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1441059%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F199787%22%20target%3D%22_blank%22%3E%40Pavithra%20Thiruvengadam%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20was%20the%20complete%20list%20of%20all%20permissions%20in%26nbsp%3BMicrosoft.DesktopVirtualization.%20The%20issue%20was%20fixed%20by%20replacing%20the%203%20lines%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22Microsoft.DesktopVirtualization%2Fhostpools%2Fsessionhosts%2Fusersessions%2Fdelete%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Microsoft.DesktopVirtualization%2Fhostpools%2Fsessionhosts%2Fusersessions%2Fwrite%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Microsoft.DesktopVirtualization%2Fhostpools%2Fsessionhosts%2Fusersessions%2Fread%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eby%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22Microsoft.DesktopVirtualization%2Fhostpools%2Fsessionhosts%2Fusersessions%2F*%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThanks%20for%20the%20follow%20up%20though!%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

When creating a custom role using Microsoft.DesktopVirtualization (with all permissions options selected) not all AzWVD CMDlets can be executed, when this role is assigned to a service principal. All CMDlets can be run without error when the service principal is contributor on the Azure sub. Errors when using the custom role are displayed below:

 

Disconnect-AzWvdUserSession Error

Disconnect-AzWvdUserSession : The client 'CLIENTIDPLACEHOLDER' with object id 'CLIENTIDPLACEHOLDER' does not have authorization to
perform action 'Microsoft.DesktopVirtualization/hostPools/sessionHosts/userSessions/SUBIDPLACEHOLDER/WVD-Backend/Microsoft.DesktopVirtualization/WVD-
Pool2/WVD-SH000000.ingram.micro/2/action' over scope '/subscriptions/SUBIDPLACEHOLDER/resourceGroups/WVD-Backend/providers/Microsoft.DesktopVirtualiz
ation/hostPools/WVD-Pool2/sessionHosts/WVD-SH000000.ingram.micro/userSessions/subscriptions/SUBIDPLACEHOLDER/resourcegroups/WVD-Backend/providers/Mic
rosoft.DesktopVirtualization/hostpools/WVD-Pool2/sessionhosts/WVD-SH000000.ingram.micro/usersessions/2/disconnect' or the scope is invalid. If access was recently
granted, please refresh your credentials.

 

Send-AzWvdUserSessionMessage error

Send-AzWvdUserSessionMessage : The client 'CLIENTIDPLACEHOLDER' with object id 'CLIENTIDPLACEHOLDER' does not have authorization to
perform action 'Microsoft.DesktopVirtualization/hostPools/sessionHosts/userSessions/sendMessage/action' over scope '/subscriptions/SUBIDPLACEHOLDER/r
esourceGroups/WVD-Backend/providers/Microsoft.DesktopVirtualization/hostPools/WVD-Pool2/sessionHosts/WVD-SH000001.ingram.micro/userSessions/2' or the scope is invalid.
If access was recently granted, please refresh your credentials.

 

Both actions are not referenced in the custom role when looking at the JSON display, indicating they still need to be added before the Microsoft.DesktopVirtualization can be used for all CMDlets.

2 Replies

@MaranVerweij What is the custom role permissions?

Best Response confirmed by Pavithra Thiruvengadam (Microsoft)
Solution

@Pavithra Thiruvengadam 

It was the complete list of all permissions in Microsoft.DesktopVirtualization. The issue was fixed by replacing the 3 lines below:

 

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/write",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",

 

by:

 

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
 
Thanks for the follow up though!