Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications

Question

Cannot pass delegated permission scopes related to Azure Virtual Deskltop RBAC based permissions like Microsoft.DesktopVirtualization/hostpools/*/read defined here: https://learn.microsoft.com/en-us/azure/virtual-desktop/rbac as they are not listed in the full list defined here: https://learn.microsoft.com/en-us/graph/permissions-reference#all-permissions-and-ids

Trying to add delegated permission scopes to AAD App registration by calling https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http The full list of permission scope that can be passed is defined here: https://learn.microsoft.com/en-us/graph/permissions-reference#all-permissions-and-ids does not contain Microsoft.DesktopVirtualization/**

score 0 · Accepted Answer · answered Jan 18 '23 at 10:24

From the above documentation you have shared I was able to conclude that each RBAC role comes with a set of permission (which could not be assigned individually with built in roles).

For example Desktop Virtualization Reader come with following permissions:

Microsoft.DesktopVirtualization//read,*

Microsoft.Resources/subscriptions/resourceGroups/read,

Microsoft.Resources/deployments/read,

Microsoft.Authorization//read,*

Microsoft.Insights/alertRules/read,

Microsoft.Support/*

The reference GUID in Azure AD Graph API for Desktop Virtualization Reader is 49a72310-ab8d-41df-bbb0-79b649203868 reference doc Azure built-in roles.

You could assign the roles via REST API and not via Graph because Graph API only manages Azure AD resources rather than Azure resources.

Get the Role Assignments - List For Resource

Example:

GET https://management.azure.com/subscriptions/4455e754-xxxx-xxxx-xxxx-aa0623375982/resourceGroups/B2C/providers/Microsoft.DesktopVirtualization/hostpools/HOSTPOOL1/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

Compare the role with Virtual desktop infrastructure for permission and [https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-desktop-infrastructure for Role ID
Use Role Assignments - Create

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2022-04-01

Please do let me know if you have any further queries in the comments section.

Thanks,

Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications

1 Answers1