Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD

Let’s find the easiest way to create a restart VM helpdesk operator Azure RBAC custom role for Azure Virtual Desktop (AVD). There are many other ways to create a custom role in Azure using PowerShell and JSON file.

The easiest method I found to create a custom Azure RBAC role is using the Azure portal itself. If you want to recreate this custom role in different Azure Subscriptions, you can use the JSON file that I shared in the below section of the post.

There is no default Azure RBAC role to permit to restart of a VM for level 1 support. I think this is critical for initial or first-level troubleshooting for all Azure Virtual Desktop (a.k.a WVD). Also, the end-users can’t restart the VMs from the RD client or RD web portal. I know this is irrelevant for multi-session scenarios, but this restart button for end-users can be useful for a single session.

I think for both single and multi-session scenarios, you will need to create the Restart VM Helpdesk operator Azure RBAC custom role to avoid a lot of tickets coming to Level 2 teams.

Patch My PC

AVD Helpdesk Operator Roles

The following are the roles that I recommend to provide for Level 1 helpdesk resources. Are you using some different built-in roles to delegate permissions to helpdesk support? If so, let me know in the comments. These two roles didn’t come with restart VM permissions.

The Desktop Virtualization Reader role assigned for helpdesk support admin helps to view everything permissions in the deployment but doesn’t let them make any changes.

Adaptiva
  • Desktop virtualization reader
  • Desktop Virtualization Session Host Operator

The Desktop Virtualization Session Host Operator role helps the helpdesk admins view and remove session hosts and change drain mode. They can’t add session hosts using the Azure portal because they don’t have “write permission” for host pool objects.

Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD 1
Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD 12

You will need to analyze/test the delete and write permissions assigned to the AVD Helpdesk admin role. These permissions need further assessment for each organization because it mainly depends on the existing support system.

TypePermissionsDetails – Description
ReadRead hostpools Read hostpools
ReadRead hostpools/sessionhosts Read hostpools/sessionhosts
WriteWrite hostpools/sessionhosts Write hostpools/sessionhosts
DeleteDelete hostpools/sessionhosts Delete hostpools/sessionhosts
ReadRead hostpools/sessionhosts/usersessions Read hostpools/sessionhosts/usersessions
WriteWrite hostpools/sessionhosts/usersessions Write hostpools/sessionhosts/usersessions
DeleteDelete hostpools/sessionhosts/usersessions Delete hostpools/sessionhosts/usersessions
Otherdisconnect Disconnects the user session form session host
OthersendMessage Send message to user session

Custom Azure RBAC Role – Restart VM Helpdesk Operator

As mentioned above, there are many ways to create custom Azure RBAC roles. I have selected the easiest method in this post. For AVD Helpdesk admin, it’s very helpful to provide restart virtual machine (VM) permissions.

In my experience, 99.99% of AVD session host connectivity issues from RD Client and RD portal can be resolved by a restart. But, as you know, we don’t have a restart option for end-users from RD clients or RD web clients. Hence, it’s worth giving restart VM permission to the level 1 support team.

Let’s check how to build a custom Azure RBAC role for the AVD Helpdesk support team.

  • Login to Azure portal – portal.azure.com.
  • Navigate to Subscription – Access Control (IAM).
  • Click on +add button and select Add Custom Role.
Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD
Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD

Enter the name of the Azure RBAC custom role. I choose the following name of the custom role HTMD Restart VM Helpdesk Operator. I recommend writing a detailed description of the Azure ARBAC custom role so that fellow admin can understand it quickly.

I normally use Clone a role to provide baseline permissions for the custom role. I have already checked the Microsoft documentation to understand the built-in Azure RBAC role that provides permission to restart the VM.

I selected the DevTest Labs User role as the role to clone. You will need to remove the additional permissions on this role to provide only the minimum required permissions for Restart VM Helpdesk Role.

Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD
Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD

Add Permissions to Restart VM Helpdesk Operator

Let’s provide Add Permissions to Restart VM Helpdesk Operator role. You will need to keep only two permissions listed below and remove all the other permissions from the custom role. These two permissions help AVD admins to delegate restart Virtual Machine permission to Level 1 or the Helpdesk support team.

  • Microsoft.Compute/virtualMachines/read – Get the properties of a virtual machine
  • Microsoft.Compute/virtualMachines/restart/action – Restarts the virtual machine

Click Add permissions to select the permissions you want to add to this custom role. To add a wildcard (*) permission, you must manually add the permission on the JSON tab. To exclude specific permissions from wildcard permission, click Exclude permissions.

You will need to remove all the other permissions from the custom permission role for HTMD Restart VM Helpdesk Operator. This role should give only the restart permissions to helpdesk users.

Add Permissions to Restart VM Helpdesk Operator
Add Permissions to Restart VM Helpdesk Operator

Assign a Scope for Custom Azure RBAC Role

In this section, you will have to add or assign a scope to the custom Azure RBAC role so that this role will be visible inside that particular scope.

You can click on Add assignable scopes to select the scopes (management groups, subscriptions, or resource groups) where this role will be available for assignment.

I’m going to leave this at the subscription level. So this custom role can be used within this particular subscription. You can change the scope only to a resource group if you want the custom role available only in that resource group.

Assign a Scope for Custom Azure RBAC Role
Assign a Scope for Custom Azure RBAC Role

Wait for Some Minutes

You will need to complete the creation of a custom role by clicking on the Next, Next, and Create buttons. The JASON file details for this custom role are given in the below section of the post.

NOTE! – It’s very important to understand that you will need to wait at least 5 minutes or so after successfully creating the Custom Azure RBAC role. Wait for some time before you start searching for the newly created custom role. Don’t create it again!

Wait for Some Minutes
Wait for Some Minutes

Assign Custom Azure RBAC Role

Now, it’s time to assign the newly created custom role to a user for testing or to an Azure AD user group. You will need to follow the steps mentioned below to complete the assignment process of the custom role.

You will need to click on +Add and select Add Role Assignment option to assign the custom role to a user or a group.

Assign Custom Azure RBAC Role to a user
Assign Custom Azure RBAC Role to a user

You will need to select the custom role that is created in the above section. You can search with the name that you choose in the above section. Click on the custom role and click on the Next button to continue.

Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD 2
Assign Custom Azure RBAC Role to a user

You will need to select the Helpdesk user or group that you want to assign this role. You can click on the + Select Members hyperlink option to add a user or an Azure AD user Group.

  • Selected Role – HTMD Restart VM Helpdesk Operator
  • Assign Access to – User, Group, or Service Principle
  • Members – Anoop C nair
  • Clcik on Review + Assign button to complete the role assignment.
 Assign Custom Azure RBAC Role to a user  -  Restart VM Helpdesk Role for AVD
Assign Custom Azure RBAC Role to a user – Restart VM Helpdesk Role for AVD

JSON file to Create the Restart VM Helpdesk Role for AVD

You can create the custom Azure RBAC role with the following JSON file. You can try to download it from the Github repository. You will need to select the “Start from JSON” option from baseline permissions for the custom role creation using a JSON file.

{ "properties": { "roleName": "HTMD Restart VM Helpdesk Operator", "description": "HTMD Restart VM Helpdesk Operator", "assignableScopes": [ "/subscriptions/replace-with-d1c9-xxx-xxxx-subscription-ID" ], "permissions": [ { "actions": [ "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/restart/action" ], "notActions": [], "dataActions": [], "notDataActions": [] } ] }}
 JSON file to Create the Restart VM Helpdesk Role for AVD
JSON file to Create the Restart VM Helpdesk Role for AVD

Result – Azure RBAC Custom Role to Restart VM

You will need to log in with the helpdesk user assigned to the HTMD Restart VM Helpdesk Operator role. Once logged in to the Azure portal, the restart option will be available for the user. The Stop VM action will also be available, but it won’t work because of permission issues.

The stop VM action won’t work as expected – Failed to Stop Virtual Machine.

Restart VM Helpdesk Operator Azure RBAC Custom Role for AVD 3

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.