Azure Permissions and Nerdio Manager

Azure Permissions and Nerdio Manager

Nerdio Manager is an Azure application that is deployed from the Azure Marketplace and runs inside your own Entra ID tenant and Azure subscription. It requires certain permissions during installation, configuration, and ongoing use.

Tip: See the following document for a deep dive into the Azure permissions and Nerdio Manager: Nerdio Manager for Enterprise - Permissions.

Installation Permissions

The Entra ID user performing the installation of Nerdio Manager requires the following permissions:

  • Global Administrator role in Entra ID.

  • Owner role in the Azure subscription.

Note: These elevated permissions are only needed for the initial installation and configuration process and are not necessary for ongoing use of Nerdio Manager.

When Nerdio Manager is installed, it has the following API application permissions in Azure:

Service Permission Function

Azure Resource Manager

Subscription Reader

Subscription Backup Reader

List the available resources in the Azure subscription and make requests on behalf of the user.

Microsoft Graph

Application.ReadWrite.All (delegated)

Manage the Nerdio Manager application service principal.

Microsoft Graph

AppRoleAssignment.ReadWrite.All (delegated)

Assign the users to the Nerdio Manager application to enable user sign in.

Microsoft Graph

Directory.Read.All (delegated)

List service principals to determine permission level.

Microsoft Graph

User.Read, User.ReadBasic.All (delegated)

 

GroupMember.Read.All,

Organization.Read.All (application)

 

(Optional) Group.Read.All,

User.Read.All (application)

Read the Entra ID groups and membership for app group assignments.

Microsoft Graph

Offline_access, openid, profile (delegated)

Allow user sign in.

Azure Service Management

user_impersonation (delegated)

Make requests to Azure on behalf of the user.

Windows Virtual Desktop

TenantCreator (application)

(AVD Classic/V1) Create the AVD tenants.

Windows Virtual Desktop

user_impersonation (delegated)

(AVD Classic/V1) Make requests on behalf of the user.

Note:Group.Read.All and User.Read.All application-level API permissions can be removed in version 4.0+. Removing these permissions has the following implications:

  • REST API cannot be used to assign users to host pools without User.Read.All application-level permission.

  • If using Installed Apps management with existing rulesets, after removing Group.Read.All application-level permissions be sure to open each ruleset and save it.

Subscription Permissions

While activating Nerdio Manager licensing subscription, a new SaaS subscription object Azure resource is created on the Azure subscription, which allows Nerdio Manager to charge for license consumption as a 3rd party service on the Azure bill. In order to configure a SaaS subscription object, because it causes additional costs to be included on the subscription, the user completing the configuration must be a subscription owner.

A new Entra ID application registration specific for Nerdio Manager's billing is also created automatically as part of the resource deployment. This application is granted the below permissions in order to authenticate as your user on behalf of your Azure tenant, and register the SaaS subscription object as being tied to your Azure subscription. These permissions allow the billing application to inform Nerdio Manager's licensing service the following details:

  • Who is completing the purchase.

  • Which SaaS subscription object is used for billing.

  • Which Entra ID tenant you are connecting from.

Note: These are the same permissions being granted to the billing application as are granted to the primary Nerdio Manager application above.

Service Permission Function

Microsoft Graph

openid, profile, User.Read (delegated)

Allows user sign in (name & Azure tenant ID are shared).

Configuration Permissions

Once the Nerdio Manager application is installed, there are several configuration actions that can be taken inside of Nerdio Manager to "link" it to existing Azure resources or create new ones. These actions require the requesting user (that is, the user logged in and performing the action via Nerdio Manager) to have certain permissions on the Azure resources that are being used.

ActionPermissions Required

Link a resource group

The requesting user must be an Owner on the resource group being linked.

Link a network

The requesting user must be an Owner on the vNet that is being linked (or the resource group that contains the vNet).

Link an additional Azure subscription

The requesting user must be an Owner on the subscription that is being linked.

Switch the AVD object model from Classic to ARM

The requesting user must be a Global Administrator in the Entra ID in order to grant the required admin consent.

Enable Sepago Azure monitoring

The requesting user must be an Owner on the selected resource group for deployment of the Log Analytics resources and permission assignment.

Create Azure Files shares

The requesting user must be a Contributor on the selected resource group for the storage account deployment. To join a newly created Azure Files share to Active Directory, the selected AD profile must have permissions to create ServicePrincipalName objects (See Permissions required to join Azure file share to domain for additional details.)

Create Azure NetApp Files volumes

The requesting user must be a Contributor on the selected resource group for NetApp account deployment and the vNet containing the NetApp Files subnet.

Create AVD ARM host pools

The requesting user must be a Contributor on the resource group in which the host pool is being created. To allow Nerdio Manager to manage app group membership, the requesting user must be an Owner on the resource group into which the host pool and app group are being deployed.

Add access to the Nerdio Manager for other users

The requesting user must be an AVD Admin in Nerdio Manager.

Associate session host VMs from previous AVD deployment

The requesting user must be a Contributor in the resource group that contains the VMs.

Ongoing Use Permissions

When the Nerdio Manager application is installed and configured, no user permissions in Azure are required to manage the configured AVD environment via Nerdio Manager. Most actions in Nerdio Manager run on Nerdio Manager on behalf of the signed in user.

Note: There are several RBAC roles available. See Role-based Access Control (RBAC) in NME for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.