Day 36: AZ-140 Pt.3.1 - Managing WVD - Access

  


Section 3: Manage Access and Security (10-15%)

Manage Access

The below should cover the following criteria for this section of the exam:
  • Plan and implement Azure roles and role-based access control (RBAC) for Windows Virtual Desktop
  • Manage local roles, groups and rights assignment on Windows Virtual Desktop session hosts
  • Configure user restrictions by using Azure AD group policies and AD policies
In the below steps, it should be noted I am not going to say click this n that, I will give a general overview but you will need to fill in the gaps with your knowledge of Azure.

Plan and implement RBAC roles for WVD

We know from previous blogs, I created a few users when planning my environment.



We are using WVD Multi-Session Users as our group which has the role assigned to it - Desktop Virtualization User.

We can push these RBAC roles via powershell using the below:

New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'

I would say at a bare minimum we want 3 groups of users depending on what people are doing:
  • Users who use the system =/= WVD Users.
  • Users who manage the system =/= Administrator Users.
  • Users who support the system =/= Service Desk.
The above users in my environment have been assigned roles for the purpose they fulfill, I made a mistake with the Power user, this will also be assigned the DVU role however.

We know from looking at this previously, that for multi-session its a no-go, however we also know its fairly limited in WVD in general. I think we can take some small comfort in the fact that from all the reading I have done, Microsoft really like multi-session and for the vast majority of people using WVD, this is the route to go.


I think its probably important however to recognize that the roles are controlled at different areas within the portal. 

Roles such as the below, which allow control over the hostpool environment, are done via the IAM (Access Control) on the host pool blade itself.


We would then go into Role Assignments, and click Add, we wouldn't add this user group but as an example we could give this group the role below.


However, if we wanted to configure WVD Multi-Session Users to have access to the WVD itself, this being able to login as a day to day user, then we would do this via the Application Group that's configured when you add the hostpool. We can see below how the role assignments also change, here the Desktop Virtualization Role becomes available.







Hopefully this covers most of this section, however I think despite it being a small section, its actually quite deceiving as there are a lot of roles, more or less 20 that you should know what each is for and what it does, unsure how you can expect someone to know this but assume it would be something that would come up in the exam.

Comments

Post a Comment

Popular posts from this blog

Day 34: AZ-140 Pt.2.3 - Create Gold Images & Deploy

Image
  Section 2: Implement a Windows Virtual Desktop Infrastructure (25-30%) Create and manage session host images   The below should cover the following criteria for this section of the exam: Create a gold image   Modify a session host image   Install language packs in Windows Virtual Desktop   Deploy a session host by using a custom image   Plan for image update and management   Create and use a Shared Image Gallery   Troubleshoot OS issues related to Windows Virtual Desktop  Creating my gold image I am going to create my image using a template provided by Microsoft but making some alterations to it, and then strip away the VHD and use that for my machines instead.  
Read more

Day 43: AZ-140 Pt.6 - Summary

Image
    Summary Quick overview of things to consider: Disclaimers:  In the below, its a list of points to scan over and quickly go away and research. All opinions below are my own and are not representative of any company I am linked with.  All scripts and information followed below is at your own risk and I hold no responsibility if you run any of it in production without testing in pre-production first.
Read more

Day 39: AZ-140 Pt.4.2 - Managing Users & Apps - Configure Apps

Image
  Section 4: Manage User Environments & Apps (20-25%) Install and configure apps on a session host The below should cover the following criteria for this section of the exam: Configure dynamic application delivery by using MSIX App Attach https://docs.microsoft.com/en-us/azure/virtual-desktop/app-attach-azure-portal?WT.mc_id=modinfra-17152-thmaure Implement application masking  deploy an application as a RemoteApp https://docs.microsoft.com/en-us/fslogix/implement-application-masking-tutorial?WT.mc_id=modinfra-17152-thmaure Implement and manage OneDrive for Business for a multi-session environment https://docs.microsoft.com/en-us/onedrive/sync-vdi-support?WT.mc_id=modinfra-17152-thmaure Implement and manage Microsoft Teams AV Redirect https://docs.microsoft.com/en-us/microsoftteams/teams-for-vdi?WT.mc_id=modinfra-17152-thmaure Implement and manage browsers and internet access for Windows Virtual Desktop sessions https://docs.microsoft.com/en-us/azure/architecture/example-scenario/w
Read more