Nerdio Manager is an Azure application that is deployed from the Azure Marketplace and runs inside your own Azure AD tenant and Azure subscription. It requires certain permissions during installation, configuration and ongoing usage.
The Azure AD user performing the installation of Nerdio Manager requires the following permissions:
- Global Administrator role in Azure AD
- Owner role on Azure subscription
These elevated permissions are needed ONLY for the initial installation and configuration process and are not necessary for ongoing usage of the application. Once Nerdio Manager is installed, it will have the following API application permissions in Azure:
|Azure Resource Manager||
|List available resources in Azure subscription and make requests on behalf of user|
|Microsoft Graph||Application.ReadWrite.All (delegated)||Manage Nerdio Manager application service principal|
|Microsoft Graph||AppRoleAssignment.ReadWrite.All (delegated)||Assign users to Nerdio Manager application to enable user login|
|Microsoft Graph||Directory.Read.All (delegated)||List service principals to determine permission level|
User.Read, User.ReadBasic.All (delegated)
Group.Read.All, GroupMember.Read.All, Organization.Read.All, User.Read.All (application)
|Read Azure AD groups and membership for app group assignments|
|Microsoft Graph||Offline_access, openid, profile (delegated)||Allow user login|
|Azure Service Management||user_impersonation (delegated)||Make requests to Azure on behalf of user|
|Windows Virtual Desktop||TenantCreator (application)||(AVD V1) Create AVD tenants|
|Windows Virtual Desktop||user_impersonation (delegated)||(AVD V1) Make requests on behalf of user|
Once Nerdio Manager application is installed, there are several configuration actions that can be taken inside of the application to "link" it to existing Azure resources or create new ones. These actions require the requesting user (i.e. logged in user taking the action via the application) to have certain permissions on Azure resources that are being used.
- Linking a Resource Group
- Requesting user must be Owner on the resource group being linked
- Linking a Network
- Requesting user must be Owner on vNet that is being linked (or resource group that contains the vNet)
- Linking an additional Azure subscription
- Requesting user must be Owner on subscription that is being linked
- Switching AVD object model from Classic to ARM
- Requesting user must be Global Administrator in Azure AD to grant needed admin consent
- Enabling Sepago Azure monitoring
- Requesting user must be Owner on selected resource group for deployment of the Log Analytics resources and permission assignment
- Creating Azure Files shares
- Requesting user must be Contributor on selected resource group for storage account deployment. To join newly created Azure Files share to Active Directory, the selected AD profile must have permissions to create ServicePrincipalName objects (See Permissions required to join Azure file share to domain for additional details).
- Creating Azure NetApp Files volumes
- Requesting user must be Contributor on selected resource group for NetApp account deployment and the vNet containing the NetApp Files subnet
- Creating AVD ARM host pools
- Requesting user must be Contributor resource group in which the host pool is being created. To allow Nerdio Manager to manage app group membership, the requesting user must be Owner on the resource group into which host pool and app group are being deployed.
- Adding access to Nerdio Manager for other users
- Requesting user must be AVD Admin in Nerdio Manager
- Associating session host VMs from previous WVD deployment
- Requesting user must be Contributor in resource group that contains the VMs
Once the Nerdio Manager application is installed and configured, no user permissions in Azure are required to manage the configured WVD environment via Nerdio Manager. There are several RBAC roles available. Most actions in Nerdio Manager run as the application on behalf of the logged in user.