Submit a request

Nerdio Help Center

Azure permissions required to install, update, and use Nerdio Manager for MSP 

Applies to: Nerdio Manager for MSP (NMM) 

Version : 3.0+ and greater

Disclaimer : Nerdio Manager for MSP is an automation and management solution. NMM Partners are responsible for understanding, and managing Microsoft Identity Services, M365 and Azure Resources. For Identity and Azure support, please contact your Distributor or Microsoft directly.

Relevant KB(s)

Administering cloud PCs

Nerdio Manager for MSP (NMM) is an Azure application that is deployed from the Azure Marketplace and runs inside MSP's own Azure AD tenant and Azure subscription.  It connects to MSP's customers' Azure AD tenants and subscriptions.  Certain permissions are required in the MSP tenant and customer tenant during installation, updates, and ongoing usage of the software.   


NMM is installed in the MSP's Azure AD tenant.  It is NOT a multi-customer, shared SaaS service hosted by Nerdio.  It consists of several PaaS services and an Enterprise Application registration that are created in MSP’s tenant. 

The Azure AD user performing the installation of Nerdio Manager requires the following permissions: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 

These elevated permissions are needed ONLY for the initial installation process and are not necessary for ongoing use of NMM.  Once installed, NMM can be used by any authorized Azure AD user without any Azure AD or subscription roles. 

In the MSP tenant, the NMM app registration will have the following role: 

  • Owner role on Azure subscription where NMM is installed 

The App registration will also have the following permissions: 

Microsoft Graph API Permission


Openid, profile, User.Read (delegated) 

Allows users from MSP tenant and guest users to log into NMM Azure App Service. 

Application.ReadWrite.All (application) 

Required for Global Images functionality.  Allows application to create service principals to allow customer accounts to access shared global images stored in Shared Image Gallery. 

Directory.ReadWrite.All (delegated) 

Required for Users and Roles (RBAC) functionality.  Allows application to create new guest users via Users and Groups page to be invited to NMM. 


In the customer tenant, the NMM app registration will have the following roles: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 


Nerdio Manager for MSP updates are released approximately once per month and are deployed from the UPDATES menu in the NMM portal.  The update process is performed by an automated script that runs in Azure Cloud Shell in the context of the currently logged in Azure AD user.  The update happens in the MSP Azure AD tenant only and nothing changes in the customer tenants. 

The Azure AD user roles required to update the Nerdio Manager are: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 

On-going use 

Once the Nerdio Manager for MSP application is installed and configured, no user permissions in Azure are required to manage the configured AVD environment via Nerdio Manager.  There are several RBAC user roles available in NMM.  All actions in Nerdio Manager run as the application on behalf of the logged in user. 

Additional Articles

How do I update NMM?


Was this article helpful?
2 out of 2 found this helpful
Important Notification for NFA Partners Only
  • Microsoft is sunsetting Azure Classic (not Azure Virtual Desktop (AVD)) - Microsoft Article
  • NFA sunset occurs February 20th, 2023
  • NFA will be fully supported until the official sunset -


Article is closed for comments.