SOLVED

(Solved) Azure Permissions for WVD Admin [Spring Release]

%3CLINGO-SUB%20id%3D%22lingo-sub-1484411%22%20slang%3D%22en-US%22%3EAzure%20Permissions%20for%20WVD%20Admin%20Spring%20Release%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484411%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20attempting%20to%20delegate%20permission%20to%20a%20couple%20members%20of%20our%20IT%20support%20team%20who%20I%20want%20to%20give%20specific%20permissions%20to%20in%20order%20to%20admin%20our%20Windows%20Virtual%20Desktop%20environment.%20I%20want%20them%20to%20be%20able%20to%20do%20the%20basics%20such%20as%20adding%20to%20app%20groups%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20done%20the%20following%3A%3C%2FP%3E%3CP%3E-%20They%20are%20contributors%20of%20the%20resource%20groups%20where%20the%20WVD%20resources%20live%3C%2FP%3E%3CP%3E-%20Granted%20them%20TenantCreator%20within%20the%20Windows%20Virtual%20Desktop%20Enterprise%20Application%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20I%20need%20to%20provider%20permissions%20elsewhere%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20a%20member%20of%20this%20team%20tries%20to%20add%20users%20to%20an%20existing%20application%20group%20for%20a%20desktop%2C%20they%20receive%20the%20following%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%7B%22details%22%3A%5B%7B%22code%22%3A%22InvalidTemplateDeployment%22%2C%22message%22%3A%22%7B%5C%22content%5C%22%3A%7B%5C%22error%5C%22%3A%7B%5C%22code%5C%22%3A%5C%22AuthorizationFailed%5C%22%2C%5C%22message%5C%22%3A%5C%22The%20client%20'%3C%2FSPAN%3E%3CA%20href%3D%22mailto%3AGBlack%40ConnectWise.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Euser%40domain.com%3C%2FA%3E%3CSPAN%3E'%20with%20object%20id%20'%3COBJECT-STRING%3E'%20does%20not%20have%20authorization%20to%20perform%20action%20'Microsoft.Authorization%2FroleAssignments%2Fwrite'%20over%20scope%20'%2Fsubscriptions%2F%3CSUB-STRING%3E%2FresourceGroups%2FWVD-PROD%2Fproviders%2FMicrosoft.DesktopVirtualization%2Fapplicationgroups%2FWVD-DESKTOPS-DAG%2Fproviders%2FMicrosoft.Authorization%2FroleAssignments%2F%3CSTRING%3E'%20or%20the%20scope%20is%20invalid.%20If%20access%20was%20recently%20granted%2C%20please%20refresh%20your%20credentials.%5C%22%7D%7D%2C%5C%22headers%5C%22%3A%7B%5C%22cache-control%5C%22%3A%5C%22no-cache%5C%22%2C%5C%22content-length%5C%22%3A%5C%22594%5C%22%2C%5C%22content-type%5C%22%3A%5C%22application%2Fjson%3B%20charset%3Dutf-8%5C%22%2C%5C%22expires%5C%22%3A%5C%22-1%5C%22%2C%5C%22pragma%5C%22%3A%5C%22no-cache%5C%22%2C%5C%22x-ms-correlation-request-id%5C%22%3A%5C%22e62970a5-65fe-4c54-b2fb-aa6e6ae676ed%5C%22%2C%5C%22x-ms-failure-cause%5C%22%3A%5C%22gateway%5C%22%2C%5C%22x-ms-request-id%5C%22%3A%5C%22e62970a5-65fe-4c54-b2fb-aa6e6ae676ed%5C%22%2C%5C%22x-ms-routing-request-id%5C%22%3A%5C%22EASTUS%3A20200623T182111Z%3Ae62970a5-65fe-4c54-b2fb-aa6e6ae676ed%5C%22%7D%2C%5C%22httpStatusCode%5C%22%3A403%7D%22%2C%22target%22%3A%22%3CSTRING%3E%22%7D%5D%7D%3C%2FSTRING%3E%3C%2FSTRING%3E%3C%2FSUB-STRING%3E%3C%2FOBJECT-STRING%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1486325%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Permissions%20for%20WVD%20Admin%20Spring%20Release%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1486325%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F645942%22%20target%3D%22_blank%22%3E%40Jensheerin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20was%20the%20solution%2C%20thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1484800%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Permissions%20for%20WVD%20Admin%20Spring%20Release%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1484800%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F666497%22%20target%3D%22_blank%22%3E%40CMurphyUSA%3C%2FA%3E%26nbsp%3BYou%20can%20add%20the%20User%20Access%20Administrator%20role%20or%20create%20a%20custom%20role%20for%20more%20granular%20security.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I am attempting to delegate permission to a couple members of our IT support team who I want to give specific permissions to in order to admin our Windows Virtual Desktop environment. I want them to be able to do the basics such as adding to app groups etc.

 

I have done the following:

- They are contributors of the resource groups where the WVD resources live

- Granted them TenantCreator within the Windows Virtual Desktop Enterprise Application

 

Do I need to provider permissions elsewhere?

 

When a member of this team tries to add users to an existing application group for a desktop, they receive the following error:

 

{"details":[{"code":"InvalidTemplateDeployment","message":"{\"content\":{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client 'user@domain.com' with object id '<object-string>' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<sub-string>/resourceGroups/WVD-PROD/providers/Microsoft.DesktopVirtualization/applicationgroups/WVD-DESKTOPS-DAG/providers/Microsoft.Authorization/roleAssignments/<string>' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}},\"headers\":{\"cache-control\":\"no-cache\",\"content-length\":\"594\",\"content-type\":\"application/json; charset=utf-8\",\"expires\":\"-1\",\"pragma\":\"no-cache\",\"x-ms-correlation-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-failure-cause\":\"gateway\",\"x-ms-request-id\":\"e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\",\"x-ms-routing-request-id\":\"EASTUS:20200623T182111Z:e62970a5-65fe-4c54-b2fb-aa6e6ae676ed\"},\"httpStatusCode\":403}","target":"<string>"}]}

2 Replies
Best Response confirmed by CMurphyUSA (Contributor)
Solution

@CMurphyUSA You can add the User Access Administrator role or create a custom role for more granular security.

@Jensheerin 

 

This was the solution, thank you!