Azure Permissions and Nerdio Manager

Azure Permissions and Nerdio Manager

Nerdio Manager is an Azure application that is deployed from the Azure Marketplace and runs inside your own Azure AD tenant and Azure subscription. It requires certain permissions during installation, configuration, and ongoing use.

Tip: See this document for a deep dive into the Azure permissions and Nerdio Manager.

Installation Permissions

The Azure AD user performing the installation of Nerdio Manager requires the following permissions:

  • Global Administrator role in Azure AD.

  • Owner role in the Azure subscription.

Note: These elevated permissions are only needed for the initial installation and configuration process and are not necessary for ongoing use of Nerdio Manager.Once installed, Nerdio Manager can be used by any authorized Azure AD user without any Azure AD or subscription roles.

In the MSP tenant, the Nerdio Manager app registration has the following role:

  • Owner role on Azure subscription where Nerdio Manager is installed.

When Nerdio Manager is installed, it has the following API application permissions in Azure:

Microsoft Graph API Permission Reason

Openid, profile, User.Read (delegated)

Allows users from the MSP tenant and guest users to log into Nerdio Manager Azure App Service.

Application.ReadWrite.All (application)

Required for Global Images functionality. Allows the application to create service principals to allow customer accounts to access shared global images stored in the Shared Image Gallery.

AppRoleAssignment.ReadWrite.All (delegated)

Assign the users to the Nerdio Manager application to enable user sign in.

Directory.ReadWrite.All (delegated)

Required for Users and Roles (RBAC) functionality. Allows the application to create new guest users via Users and Groups page to be invited to Nerdio Manager.

In the customer tenant, the Nerdio Manager app registration has the following roles:

  • Global Administrator role in the Azure AD.

  • Owner role on the Azure subscription.


Nerdio Manager updates are released approximately once per month and are deployed from the Updates menu in the Nerdio Manager portal. The update process is performed by an automated script that runs in Azure Cloud Shell in the context of the currently logged in Azure AD user. The update happens in the MSP Azure AD tenant only and nothing changes in the customer tenants.

The Azure AD user roles required to update the Nerdio Manager are:

  • Global Administrator role in Azure AD.

  • Owner role on Azure subscription.

Ongoing Use Permissions

When the Nerdio Manager application is installed and configured, no user permissions in Azure are required to manage the configured AVD environment via Nerdio Manager. Most actions in Nerdio Manager run on Nerdio Manager on behalf of the signed in user.

Note: There are several RBAC roles available. See Users and Roles at the MSP Level for details.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Article is closed for comments.