How do I give a developer admin access to his Azure Virtual Desktop session? He needs to be able to install applications without the UAC
coming up asking for the admin access.
Azure Virtual Desktop session Admin Access
**Hello @FrancinePisano-3580,
If the VM is AD joined (during deployment) by below method, then you must configure azure role assignments for users who are authorized to login in to the VM. With the RBAC role assignment of Virtual Machine Administrator Login, user can log in to an Azure virtual machine with administrator privileges.
Check in case the accounts you are using does only have "Virtual Machine User Login" – Users with this role assigned can log in to an Azure virtual machine with regular user privileges.
When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token is used to start apps that do not perform administrative tasks (standard user apps). The standard user access token is then used to display the desktop (explorer.exe). Explorer.exe is the parent process from which all other user-initiated processes inherit their access token. As a result, all apps run as a standard user unless a user provides consent or credentials to approve an app to use a full administrative access token.
A user that is a member of the Administrators group can log on, browse the Web, and read e-mail while using a standard user access token. When the administrator needs to perform a task that requires the administrator access token, Windows 10 or Windows 11 automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured by using the Local Security Policy snap-in (Secpol.msc) or Group Policy. For more info, see User Account Control security policy settings.**
Please refer below links for more details:
https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
https://docs.microsoft.com/en-us/azure/virtual-desktop/rbac
Hope this helps!
Please "Accept as Answer" and Upvote if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.
Hi @Prrudram-MSFT
I do not see this "Virtual Machine Administrator Login" as a built in role within the AVD that I am trying to give administrative access to.
I looked at the access within the host pool and the machine object itself and do not see this listed as a built in role.
Please advise where I find this built in role that I would assign to the developer user that needs this access.
Thank you!
Fran
Hello @FrancinePisano-3580,
Virtual Machine Administrator Login is not available at AVD RBAC level, it is a VM level role as described here https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-administrator-login
If you are describing where end users need admin access to the VM they are signed into, that would just be a matter of delegating local admin rights. This wouldn’t be suggested on multi-session since this would likely create configuration drift and depending on the application install directory would break some applications due to fslogix.
Hi @Prrudram-MSFT - I have given the user the role of Virtual Machine Administrator Login on the 2 AVDs that he is working within. I was able to figure out how to do this.
I have not heard back. By the way, the admin rights on the local PC do not flow through to the AVD as he does already have these right. Thank you.
7 people are following this question.
