Hello --
We are using the End-user (built-In) RBAC role in Nerdio to allow users to restart, start, and stop their personal desktops.
However, access to this AVD environmnet is strictly controlled by Conditional Access (CA).
We have allowed the Nerdio Website through CA, but users are still unable to connect. This seems to be due to Nerdio making MSGraph calls (Directory.Read.All , User.ReadBasic.All , User.Read) , which are not permitted by CA. They cannot give granular access to MS.Graph, and are not willing to increase the ‘blast radius’ by allowing all users these permissions.
According to Nerdio Support "Nerdio uses Microsoft Graph after Entra authentication (and continuously during the session) to retrieve Entra ID group membership, which is then mapped to Nerdio RBAC roles."
Our CA team is not willing to allow the needed roles for this through CA (Directory.Read.All User.ReadBasic.All User.Read.)
Our feature request :
Can Nerdio function fully using app-specific scopes only, without calling Graph endpoints? This would allow us to satisfy our CA requirements.
If there are any required attributes, claims, or permissions needed in the token for this scenario, please let us know — we can include those as part of an app-specific access token.
Thanks for your help.
Comments (0 comments)