Day 36: AZ-140 Pt.3.1 - Managing WVD - Access
Section 3: Manage Access and Security (10-15%)
The below should cover the following criteria for this section of the exam:
- Plan and implement Azure roles and role-based access control (RBAC) for Windows Virtual Desktop
- Manage local roles, groups and rights assignment on Windows Virtual Desktop session hosts
- Configure user restrictions by using Azure AD group policies and AD policies
In the below steps, it should be noted I am not going to say click this n that, I will give a general overview but you will need to fill in the gaps with your knowledge of Azure.
Plan and implement RBAC roles for WVD
We know from previous blogs, I created a few users when planning my environment.
We are using WVD Multi-Session Users as our group which has the role assigned to it - Desktop Virtualization User.
We can push these RBAC roles via powershell using the below:
New-AzRoleAssignment -SignInName <userupn> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
New-AzRoleAssignment -ObjectId <usergroupobjectid> -RoleDefinitionName "Desktop Virtualization User" -ResourceName <appgroupname> -ResourceGroupName <resourcegroupname> -ResourceType 'Microsoft.DesktopVirtualization/applicationGroups'
I would say at a bare minimum we want 3 groups of users depending on what people are doing:
- Users who use the system =/= WVD Users.
- Users who manage the system =/= Administrator Users.
- Users who support the system =/= Service Desk.
The above users in my environment have been assigned roles for the purpose they fulfill, I made a mistake with the Power user, this will also be assigned the DVU role however.
We know from looking at this previously, that for multi-session its a no-go, however we also know its fairly limited in WVD in general. I think we can take some small comfort in the fact that from all the reading I have done, Microsoft really like multi-session and for the vast majority of people using WVD, this is the route to go.
I think its probably important however to recognize that the roles are controlled at different areas within the portal.
Roles such as the below, which allow control over the hostpool environment, are done via the IAM (Access Control) on the host pool blade itself.
We would then go into Role Assignments, and click Add, we wouldn't add this user group but as an example we could give this group the role below.
However, if we wanted to configure WVD Multi-Session Users to have access to the WVD itself, this being able to login as a day to day user, then we would do this via the Application Group that's configured when you add the hostpool. We can see below how the role assignments also change, here the Desktop Virtualization Role becomes available.
Hopefully this covers most of this section, however I think despite it being a small section, its actually quite deceiving as there are a lot of roles, more or less 20 that you should know what each is for and what it does, unsure how you can expect someone to know this but assume it would be something that would come up in the exam.