Azure Permissions and Nerdio Manager
Nerdio Manager is an Azure application that is deployed from the Azure Marketplace and runs inside your own Entra ID tenant and Azure subscription. It requires certain permissions during installation, configuration, and ongoing use.
Tip: See this document for a deep dive into the Azure permissions and Nerdio Manager.
The Entra ID user performing the installation of Nerdio Manager requires the following permissions:
Global Administrator role in Entra ID.
Owner role in the Azure subscription.
Note: These elevated permissions are only needed for the initial installation and configuration process and are not necessary for ongoing use of Nerdio Manager.
When Nerdio Manager is installed, it has the following API application permissions in Azure:
Azure Resource Manager
Subscription Backup Reader
List the available resources in the Azure subscription and make requests on behalf of the user.
Manage the Nerdio Manager application service principal.
Assign the users to the Nerdio Manager application to enable user sign in.
List service principals to determine permission level.
User.Read, User.ReadBasic.All (delegated)
Read the Entra ID groups and membership for app group assignments.
Offline_access, openid, profile (delegated)
Allow user sign in.
Azure Service Management
Make requests to Azure on behalf of the user.
Windows Virtual Desktop
(AVD Classic/V1) Create the AVD tenants.
Windows Virtual Desktop
(AVD Classic/V1) Make requests on behalf of the user.
Note:Group.Read.All and User.Read.All application-level API permissions can be removed in version 4.0+. Removing these permissions has the following implications:
REST API cannot be used to assign users to host pools without User.Read.All application-level permission.
If using Installed Apps management with existing rulesets, after removing Group.Read.All application-level permissions be sure to open each ruleset and save it.
While activating Nerdio Manager licensing subscription, a new SaaS subscription object Azure resource is created on the Azure subscription, which allows Nerdio Manager to charge for license consumption as a 3rd party service on the Azure bill. In order to configure a SaaS subscription object, because it causes additional costs to be included on the subscription, the user completing the configuration must be a subscription owner.
A new Entra ID application registration specific for Nerdio Manager's billing is also created automatically as part of the resource deployment. This application is granted the below permissions in order to authenticate as your user on behalf of your Azure tenant, and register the SaaS subscription object as being tied to your Azure subscription. These permissions allow the billing application to inform Nerdio Manager's licensing service the following details:
Who is completing the purchase.
Which SaaS subscription object is used for billing.
Which Entra ID tenant you are connecting from.
Note: These are the same permissions being granted to the billing application as are granted to the primary Nerdio Manager application above.
openid, profile, User.Read (delegated)
Allows user sign in (name & Azure tenant ID are shared).
Once the Nerdio Manager application is installed, there are several configuration actions that can be taken inside of Nerdio Manager to "link" it to existing Azure resources or create new ones. These actions require the requesting user (that is, the user logged in and performing the action via Nerdio Manager) to have certain permissions on the Azure resources that are being used.
Link a resource group
The requesting user must be an Owner on the resource group being linked.
Link a network
The requesting user must be an Owner on the vNet that is being linked (or the resource group that contains the vNet).
Link an additional Azure subscription
The requesting user must be an Owner on the subscription that is being linked.
Switch the AVD object model from Classic to ARM
The requesting user must be a Global Administrator in the Entra ID in order to grant the required admin consent.
Enable Sepago Azure monitoring
The requesting user must be an Owner on the selected resource group for deployment of the Log Analytics resources and permission assignment.
Create Azure Files shares
The requesting user must be a Contributor on the selected resource group for the storage account deployment. To join a newly created Azure Files share to Active Directory, the selected AD profile must have permissions to create ServicePrincipalName objects (See Permissions required to join Azure file share to domain for additional details.)
Create Azure NetApp Files volumes
The requesting user must be a Contributor on the selected resource group for NetApp account deployment and the vNet containing the NetApp Files subnet.
Create AVD ARM host pools
The requesting user must be a Contributor on the resource group in which the host pool is being created. To allow Nerdio Manager to manage app group membership, the requesting user must be an Owner on the resource group into which the host pool and app group are being deployed.
Add access to the Nerdio Manager for other users
The requesting user must be an AVD Admin in Nerdio Manager.
Associate session host VMs from previous AVD deployment
The requesting user must be a Contributor in the resource group that contains the VMs.
Ongoing Use Permissions
When the Nerdio Manager application is installed and configured, no user permissions in Azure are required to manage the configured AVD environment via Nerdio Manager. Most actions in Nerdio Manager run on Nerdio Manager on behalf of the signed in user.
Note: There are several RBAC roles available. See Role-based Access Control (RBAC) in NME for details.