Azure Permissions and Nerdio Manager
Nerdio Manager is an Azure application that is deployed from the Azure Marketplace and runs inside your own Azure AD tenant and Azure subscription. It requires certain permissions during installation, configuration, and ongoing use.
Tip: See this document for a deep dive into the Azure permissions and Nerdio Manager.
The Azure AD user performing the installation of Nerdio Manager requires the following permissions:
Global Administrator role in Azure AD.
Owner role in the Azure subscription.
Note: These elevated permissions are only needed for the initial installation and configuration process and are not necessary for ongoing use of Nerdio Manager.Once installed, Nerdio Manager can be used by any authorized Azure AD user without any Azure AD or subscription roles.
In the MSP tenant, the Nerdio Manager app registration has the following role:
Owner role on Azure subscription where Nerdio Manager is installed.
When Nerdio Manager is installed, it has the following API application permissions in Azure:
|Microsoft Graph API Permission||Reason|
Openid, profile, User.Read (delegated)
Allows users from the MSP tenant and guest users to log into Nerdio Manager Azure App Service.
Required for Global Images functionality. Allows the application to create service principals to allow customer accounts to access shared global images stored in the Azure Compute Gallery.
Assign the users to the Nerdio Manager application to enable user sign in.
Required for Users and Roles (RBAC) functionality. Allows the application to create new guest users via Users and Groups page to be invited to Nerdio Manager.
In the customer tenant, the Nerdio Manager app registration has the following roles:
Global Administrator role in the Azure AD.
Owner role on the Azure subscription.
Limited Access Mode Permissions
Nerdio Manager accounts can be provisioned in what's called a Limited Access mode to restrict permissions granted to the Nerdio Manager enterprise app in the customer's Azure tenant. In addition, existing customer accounts that were not created in limited access mode, can be switched to limited access mode. See Overview of Limited Access Mode for additional information.
Enable Limited Access Mode at the MSP Level
Once you enable the limited access setting at the MSP level, we suggest you replace Directory.ReadWrite.All with Directory.Read.All and add User.Invite.All permission. This action keeps all existing functionality. However, you can also remove Application.ReadWrite.All permission, wherein some functionality like enable REST API, enable Azure runbooks, manage user roles, and assign accounts to global images may not work.
For example, if you have previously enabled REST API, and then enabled limited access, and later disabled REST API, you are able to enable REST API again because the necessary app already exists. However, if you enable REST API for the first time after enabling limited access, Nerdio Manager is not able to create a REST API app registration in AD. Also, Nerdio Manager doesn't show warnings on pages when limited access functionality is enabled.
If limited access mode is enabled, Nerdio Manager does not restore permissions while updating Nerdio Manager. However, Nerdio Manager always restores permissions during update, if limited access mode is not enabled.
If limited access mode is disabled, you would need to re-deploy your installation to restore all required permissions automatically, as shown below:
Enable Limited Access Mode at the Account Level
Nerdio Manager creates an app registration for each account during provisioning. Here are a few points to note:
If Limited access is disabled, the app has the "Global Admin" role and the following permissions:
Intune specific: DeviceManagementApps.ReadWrite.All
Cloud PC specific: CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All
For Intune and Cloud PC: DeviceManagementConfiguration.ReadWrite.All
If Limited access is enabled, the app registration does not have the "Global Admin" role and has the following permissions:
AuditLog.Read.All, Directory.Read.All, Group.Read.All
Cloud PC if it's enabled CloudPC.ReadWrite.All, DeviceManagementManagedDevices.PrivilegedOperations.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All
Intune permissions can be assigned on the Settings > Integrations page after the account is created.
Nerdio Manager changes the AD applications during provisioning, so if limited access is enabled, Nerdio Manager assigns at the first step and removes at the second step of provisioning the following permissions: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All.
If limited access is enabled, Nerdio Manager displays an icon next to the first step's name:
And the same icon next to the account name on Accounts list:
Hover over the Limited Access icon, to view a tooltip that says: "Account is in limited access mode. User and Group management functionality is limited."
In Limited Access mode, Nerdio Manager prompts you to assign necessary permissions manually when you enable Intune or Cloud PC from the Settings > Integrations page:
When you disable Intune features, Nerdio Manager displays a list of permissions that can be removed:
Nerdio Manager displays warnings for all the functionality that is not available in limited access mode:
Nerdio Manager updates are released approximately once per month and are deployed from the Updates menu in the Nerdio Manager portal. The update process is performed by an automated script that runs in Azure Cloud Shell in the context of the currently logged in Azure AD user. The update happens in the MSP Azure AD tenant only and nothing changes in the customer tenants.
The Azure AD user roles required to update the Nerdio Manager are:
Global Administrator role in Azure AD.
Owner role on Azure subscription.
Ongoing Use Permissions
When the Nerdio Manager application is installed and configured, no user permissions in Azure are required to manage the configured AVD environment via Nerdio Manager. Most actions in Nerdio Manager run on Nerdio Manager on behalf of the signed in user.
Note: There are several RBAC roles available. See Users and Roles at the MSP Level for details.
Comments (0 comments)