Built-in roles for Windows Virtual Desktop

Windows Virtual Desktop uses Azure role-based access controls (RBAC) to assign roles to users and admins. These roles give admins permission to carry out certain tasks. To learn more about built-in roles for Azure RBAC, see Azure built-in roles.

The standard built-in roles for Azure are Owner, Contributor, and Reader. However, Windows Virtual Desktop has additional roles that let you separate management roles for host pools, app groups, and workspaces. This separation lets you have more granular control over administrative tasks. These roles are named in compliance with Azure's standard roles and least-privilege methodology.

Windows Virtual Desktop doesn't have a specific Owner role. However, you can use a standard Owner role for the service objects.

Desktop Virtualization Contributor

The Desktop Virtualization Contributor role lets you manage all aspects of the deployment. However, it doesn't grant you access to compute resources. You'll also need the User Access Administrator role to publish app groups to users or user groups.

  • Microsoft.DesktopVirtualization/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Desktop Virtualization Reader

The Desktop Virtualization Reader role lets you view everything in the deployment but doesn't let you make any changes.

  • Microsoft.DesktopVirtualization/*/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Host Pool Contributor

The Host Pool Contributor role lets you manage all aspects of host pools, including access to resources. You'll need an extra contributor role, Virtual Machine Contributor, to create virtual machines. You will need AppGroup and Workspace contributor roles to create host pool using the portal or you can use Desktop Virtualization Contributor role.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/hostpools/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Host Pool Reader

The Host Pool Reader role lets you view everything in the host pool, but won't allow you to make any changes.

  • Microsoft.DesktopVirtualization/hostpools/*/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Application Group Contributor

The Application Group Contributor role lets you manage all aspects of app groups. If you want to publish app groups to users or user groups, you'll need the User Access Administrator role.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/applicationgroups/*
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Application Group Reader

The Application Group Reader role lets you view everything in the app group and will not allow you to make any changes.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/applicationgroups/*/read
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Workspace Contributor

The Workspace Contributor role lets you manage all aspects of workspaces. To get information on applications added to the app groups, you'll also need to be assigned the Application Group Reader role.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/workspaces/*
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/*
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Workspace Reader

The Workspace Reader role lets you view everything in the workspace, but won't allow you to make any changes.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/workspaces/read
  • Microsoft.DesktopVirtualization/applicationgroups/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

User Session Operator

The User Session Operator role lets you send messages, disconnect sessions, and use the "logoff" function to sign sessions out of the session host. However, this role doesn't let you perform session host management like removing session host, changing drain mode, and so on. This role can see assignments, but can't modify admins. We recommend you assign this role to specific host pools. If you give this permission at a resource group level, the admin will have read permission on all host pools under a resource group.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*

Session Host Operator

The Session Host Operator role lets you view and remove session hosts, as well as change drain mode. They can't add session hosts using the Azure portal because they don't have write permission for host pool objects. If the registration token is valid (generated and not expired), you can use this role to add session hosts to the host pool outside of Azure portal if the admin has compute permissions through the Virtual Machine Contributor role.

The following list describes which permissions this role can access:

  • Microsoft.DesktopVirtualization/hostpools/read
  • Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/deployments/read
  • Microsoft.Authorization/*/read
  • Microsoft.Insights/alertRules/*
  • Microsoft.Support/*