Delegation is important for any company from the security point of view. As the business grows, it becomes difficult to keep track of all the specific users with particular admin roles. For example, if an employee user gets an admin role that should not be going to that user, the company becomes vulnerable to security breaches.
The size and complexity of your company will determine how many admins are needed and how granular should be their access permission.
Windows Virtual Desktop the DaaS Windows from Microsoft comes with delegated access component. At the different levels of WVD, this function allows you to define and control the level of access a particular user can be given by assigning a role.
You can view the roles assigned to all the members in the Azure AD portal to help you scrutinize your deployment and delegate permissions. For organizations with multi-tiered IT support system such delegated access could be very useful. Because it allows to manage and control the access to WVD at various levels.
The Components and Values of Delegated Access
The delegated access model of Windows Virtual Desktop (WVD) is based on the Azure Role-based access control (RBAC) model. As the name suggests you can assign the Azure resources to your users, groups and service principals as per the RBAC built-in roles. You can create your own custom roles and assign in case the built-in roles do not meet your organization’s requirement.
These include Security principal, Role definition and Scope.
- Security principal – has users and Service principals
- Role definition – has built-in roles
- Scope- includes Tenant groups, Tenants, Host pools and App groups
Different roles of Delegated Access
The built-in role definitions that you can assign to your users and others are as follows:
- RDS Owner: is allowed to manage everything even access to resources
- RDS Contributor: manages everything but does not have access to resources
- RDS Reader: as the name suggests, can view everything but cannot make changes
- RDS Operator: is allowed to view the diagnostic activities
By running the PowerShell “command-lets” or cmdlets you can create, view or remove the role assignments.
Planning the Delegation
To understand what kind of delegation model will be the best your organizational requirements you must make a prior planning. Here are some suggestions:
- Define the roles that you need
- Determine the application administration delegation
- List and grant authorization to register application
- Determine and delegate application ownership
- Design a security plan
- Confirm the emergency accounts
- Secure the roles of the admins
- Keep privileged elevation a temporary option
Consider taking Apps4Rent for any of your WVD needs or inquiry. With an experience spanning over 15 years of offering Azure managed solutions to more than 10,000 businesses successfully, we can confidently rely on us. Contact us anytime 1-646-506-9354. We look forward to hearing from you.