Delegation is important for any company from a security point of view. As the business grows, it becomes difficult to keep track of all the specific users with admin roles. For example, if an employee gets an admin role that should not be going to that user, the company becomes vulnerable to security breaches.
The size and complexity of your company will determine how many admins are needed and how granular should be their access permission. Windows Virtual Desktop, the DaaS Windows from Microsoft comes with a delegated access component. At the different levels of WVD, this function allows you to define and control the level of access a user can be given by assigning a role.
You can view the roles assigned to all the members in the Azure AD portal to help you scrutinize your deployment and delegate permissions. For organizations with multi-tiered IT support systems, such delegated access could be very useful. This is because it allows us to manage and control access to WVD at various levels.
The Components and Values of Delegated Access
The delegated access model of Windows Virtual Desktop (WVD) is based on the Azure Role-based access control (RBAC) model. As the name suggests, you can assign the Azure resources to your users, groups, and service principals as per the RBAC built-in roles. You can create your own custom roles and assign them to users if the built-in roles do not meet your organization’s requirements.
These include Security principal, Role Definition, and Scope.
- Security principal – has users and Service principals.
- Role definition – has built-in roles.
- Scope- includes Tenant groups, Tenants, Host pools, and App groups.
Different roles of Delegated Access
The built-in role definitions that you can assign to your users and others are as follows:
- RDS Owner: can manage everything even access to resources.
- RDS Contributor: manages everything but does not have access to resources.
- RDS Reader: as the name suggests, can view everything but cannot make changes.
- RDS Operator: can view the diagnostic activities.
By running the PowerShell cmdlets you can create, view, or remove the role assignments.
Planning the Delegation
To understand what kind of delegation model will be the best for your organizational requirements, you must perform prior planning. Here are some suggestions:
- Define the roles that you need.
- Determine the application administration delegation.
- List and grant authorization to the registered application.
- Determine and delegate application ownership.
- Design a security plan.
- Confirm the emergency accounts.
- Secure the roles of the admins.
- Keep privileged elevation a temporary option.
Consider Apps4Rent for any of your WVD needs or inquiry. With an experience spanning over 15 years of offering managed cloud solutions to more than 10,000 businesses successfully, you can confidently rely on us. Contact us anytime at 1-646-506-9354. We look forward to hearing from you.