Security and Permissions FAQs

Avatar
Nerdio Product Support

Security and Permissions FAQs

Installation Permissions

Are Global Administrator and Subscription Owner roles required for installation? Why?

Yes. These elevated roles are required only during installation for the following reasons:

  • Global Administrator is needed once at the end of the install process to consent to required permissions for the Nerdio Enterprise App at the tenant level. After this step, Nerdio Manager runs under its own Managed Identity with no further need for Global Admin access.

  • Subscription Owner deploys and configures Azure resources (for example, App Service, SQL, and Key Vault) and registers the billing object for Nerdio Manager’s licensing.

After installation, these roles are no longer required for on-going use.

See: Azure Permissions and Nerdio Manager for details.

Why is the Azure Owner role required on the Azure subscription?

The Owner role is required to:

  • Create and configure resources such as the App Service, Key Vault, Storage Account, and SQL DB.

  • Register the SaaS billing object for licensing.

After deployment, permissions can be reduced to Contributor or User Access Administrator, aligning with least-privilege models.

See Implementation Guide and Azure built-in roles for details.

Do users need to maintain Global Admin or Subscription Owner roles after installation?

No. These permissions are not required after installation.

Management is handled via:

  • Nerdio Manager's built-in RBAC roles.

  • Azure RBAC, where applicable.

Is the installation process automated, or can it be done manually and assigned to different people for each step?

The installation is primarily automated through the Azure Marketplace deployment.

Administrators can optionally perform part of the process manually by creating and consenting the Entra ID application in advance, using the Advanced Installation Guide.

The rest of the resources (App Service, Key Vault, Storage, SQL, etc.) are deployed automatically through the Marketplace ARM template.

  • Standard install: Fully automated via Azure Marketplace (~15–20 minutes).

  • Advanced install: Split between:

    • Entra ID admin (creates App Registration and grants consent).

    • Azure subscription owner (deploys infrastructure).

SeeAdvanced installation: Create Entra ID application and Microsoft Learn – ARM Templates for details.

API Permissions

Which API permissions are required? Which are optional or negotiable?

Most permissions are required for full Nerdio Manager functionality. However, the following delegated permissions often raise questions:

  • Optional/Nice to have:

    • Application.ReadWrite.All (delegated): Enables app registration lifecycle management.

    • AppRoleAssignment.ReadWrite.All (delegated): Supports automated role assignment.

  • If excluded:

    • REST APIs for automated user assignment do not function.

    • Installed App rule sets may require manual updates.

Nerdio Manager follows least-privilege design principles and uses application-level permissions only when strictly necessary.

Network and Connectivity

What peering is required when using Nerdio Manager with private endpoints?

The need for virtual network (VNet) peering depends on how Nerdio Manager is deployed and the broader network layout:

  • When peering is not required:

    • Nerdio Manager can be deployed in the same subnet as the AVD session hosts or Cloud PCs.

    • It can also be in a different subnet within the same VNet. In these cases, no peering is necessary.

  • When peering is required:

    • If Nerdio Manager is deployed in a dedicated VNet with Private Endpoints enabled during installation, peering may be required between:

      • The Nerdio Manager VNet, where the Private Endpoint and web app reside.

      • Any existing VNets hosting AVD session hosts or storage resources (for example, FSLogix, MSIX, or profile containers).

  • Recommended practice for larger environments:

    • Place Nerdio Manager in a management VNet and subnet.

    • Deploy AVD session hosts and related resources (for example, storage) in separate VNets.

    • Peer these VNets into the Nerdio Manager management VNet for centralized control and scalability.

Note: This model supports environments with many session hosts or stricter network segmentation requirements.

Are public endpoints temporarily required during install, even in secure deployments?

Yes. Temporary public access is required for:

  • Key Vault, during the install phase (secrets are written securely).

  • Other services used during the initial ARM template execution.

After installation, these components are converted to use private endpoints where configured.

Private Endpoint Options

What are the options for using private endpoints with Nerdio Manager?

The following are supported approaches to using private endpoints with Nerdio Manager:

  • Secure Deployment (recommended)

    • Nerdio Manager provisions all required resources with private endpoints during installation.

    • This is the most streamlined and fully supported method.

  • Post-deployment scripted hardening

    • Use Nerdio Manager’s provided hardening runbook to apply private endpoints after deployment.

    • This is ideal for customers who initially deploy without private endpoints but want to secure the deployment later.

  • Fully manual hardening

    • For environments with highly specific security or DNS requirements (for example, not using Azure DNS).

    • Requires manually configuring private endpoints, DNS settings, and possibly network routes beyond what the hardening script handles.

Note: As of Nerdio Manager version 7.4, all core Nerdio Manager modules now support hardened deployment using private endpoints, without requiring a hybrid worker VM (for scripts under 500 KB). This includes:

  • Unified Application Management (UCA)

  • Intune Insights

  • Private WinGet

  • Azure Runbooks / Automation

  • Azure AI Analytics

Authentication and Role Delegation

Does Nerdio Manager participate in authentication or RDP connectivity for AVD or Cloud PCs?

No. Nerdio Manager:

  • Does not proxy authentication or RDP traffic.

  • Does not alter native Azure AD or Entra ID authentication.

  • Operates outside the AVD control and data planes.

When a token is generated by an administrator, is that token shared with other users?

No. Each identity (user or service principal) gets its own token. Tokens are not shared, ensuring secure, auditable, and isolated activity.

See Microsoft Learn – Access Tokens and Audit Logs in Entra ID for details.

Data Handling and Licensing

What data is shared with Nerdio Manager’s licensing server?

Only metadata required for license tracking is transmitted:

  • Entra ID tenant ID

  • Azure subscription ID

  • Nerdio Manager app registration ID

No user, VM, or session data is shared.

See Does Nerdio Manager Store Customer Information? for details.

________________________________________

How is the authentication token secured in Azure?

Tokens and secrets are stored in Azure Key Vault, which:

  • Encrypts data at rest and in transit. The encryption keys themselves are stored and managed inside the same Azure Key Vault service.

  • Is accessed only via Managed Identity under RBAC.

  • Never exposes secrets in logs, code, or environment variables.

See Azure Key Vault Security and Encryption with Key Vault for details.

________________________________________

What are the security considerations for the Nerdio Manager web app?

  • Uses Azure App Service with Managed Identity for secure Key Vault access.

  • Encryption in transit and at rest.

  • Full audit logging via Azure Monitor.

  • Optional private endpoint support to restrict access.

See Secure App Service and Private Endpoints for details.

________________________________________

Is Marketplace deployment mandatory? Can it be reviewed beforehand?

Yes, Marketplace deployment is required to install Nerdio Manager.

However, you can:

  • Select Review + Create before deployment to inspect all components.

  • Download the ARM template in advance for internal review.

  • After deployment, review the changes in the Resource Group’s Deployment History.

See Implementation Guide and Review/Export ARM Templates for details.

Outbound Access and Firewall Requirements

What outbound access is required for Nerdio Manager and AVD to function?

Internet access is required from:

  • Nerdio Manager components for licensing, Azure APIs, logging, and general platform functionality.

  • AVD session hosts for broker communication, session management, updates, and integration with Azure services.

Additional considerations: Ensure outbound access is allowed to Microsoft URLs used by:

  • Windows Update

  • Microsoft Store / MS Winget repositories

  • Azure automation and diagnostics endpoints

Note: If you're blocking internet access with private DNS or firewalls, ensure that the required Microsoft services are still reachable, either by using private endpoints or by allowing the appropriate Azure service tags.

See Required outbound internet access from AVD session host VMs and VNet integration firewall requirements for details.

________________________________________

Console Connect and AI Features

Does Nerdio Manager install any agent on session hosts?

No, unless Console Connect is enabled. In that case, a lightweight agent is installed to support secure shadowing and remote control for help desk staff.

See Console Connect FAQs for details.

________________________________________

Do Nerdio Manager AI features communicate with external services?

No. Nerdio Manager AI features (for example, Copilot, Auto-scale Insights):

  • Are tenant contained.

  • Are not deployed by default.

  • Use internal models unless explicitly configured otherwise (for example, Azure OpenAI).

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.