Hello --
We are using the End-user (built-In) RBAC role in Nerdio to allow users to restart, start, and stop their personal desktops.
However, their specific AVD environment is meant for Privileged Access Workstations. This means the accounts used to connect to AVD are strictly limited by Conditional Access (CA).
We have allowed the Nerdio Website through CA, but users are still unable to connect. This seems to be due to Nerdio making graph calls, which are not permitted by CA.
According to Nerdio Support "Nerdio uses Microsoft Graph after Entra authentication (and continuously during the session) to retrieve Entra ID group membership, which is then mapped to Nerdio RBAC roles."
Our CA team is not willing to allow the needed roles for this through CA (Directory.Read.All User.ReadBasic.All User.Read.)
Our feature request :
Can Nerdio function fully using app-specific scopes only, without calling Graph endpoints? This would allow us to satisfy our CA requirements.
If there are any required attributes, claims, or permissions needed in the token for this scenario, please let us know — we can include those as part of an app-specific access token.
Thanks for your help,
Mark Schlegel
Comments (0 comments)