Submit a request

Nerdio Help Center

Azure permissions required to install, update, and use Nerdio Manager for MSP 


Applies to: Nerdio Manager for MSP (NMM) 

Version : 0.6.0 and greater


Nerdio Manager for MSP (NMM) is an Azure application that is deployed from the Azure Marketplace and runs inside MSP's own Azure AD tenant and Azure subscription.  It connects to MSP's customers' Azure AD tenants and subscriptions.  Certain permissions are required in the MSP tenant and customer tenant during installation, updates, and ongoing usage of the software.   


Installation 

NMM is installed in the MSP's Azure AD tenant.  It is NOT a multi-customer, shared SaaS service hosted by Nerdio.  It consists of several PaaS services and an Enterprise Application registration that are created in MSP’s tenant. 

The Azure AD user performing the installation of Nerdio Manager requires the following permissions: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 

These elevated permissions are needed ONLY for the initial installation process and are not necessary for ongoing use of NMM.  Once installed, NMM can be used by any authorized Azure AD user without any Azure AD or subscription roles. 

In the MSP tenant, the NMM app registration will have the following role: 

  • Owner role on Azure subscription where NMM is installed 

The App registration will also have the following permissions: 

Microsoft Graph API Permission

Reason 

Openid, profile, User.Read (delegated) 

Allows users from MSP tenant and guest users to log into NMM Azure App Service. 

Application.ReadWrite.All (application) 

Required for Global Images functionality.  Allows application to create service principals to allow customer accounts to access shared global images stored in Shared Image Gallery. 

Directory.ReadWrite.All (delegated) 

Required for Users and Roles (RBAC) functionality.  Allows application to create new guest users via Users and Groups page to be invited to NMM. 

 

In the customer tenant, the NMM app registration will have the following roles: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 

Updates 

Nerdio Manager for MSP updates are released approximately once per month and are deployed from the UPDATES menu in the NMM portal.  The update process is performed by an automated script that runs in Azure Cloud Shell in the context of the currently logged in Azure AD user.  The update happens in the MSP Azure AD tenant only and nothing changes in the customer tenants. 

The Azure AD user roles required to update the Nerdio Manager are: 

  • Global Administrator role in Azure AD 
  • Owner role on Azure subscription 

On-going use 

Once the Nerdio Manager for MSP application is installed and configured, no user permissions in Azure are required to manage the configured WVD environment via Nerdio Manager.  There are several RBAC user roles available in NMM.  All actions in Nerdio Manager run as the application on behalf of the logged in user. 


Additional Articles

How do I update NMM?

 

Was this article helpful?
1 out of 1 found this helpful

Comments

Article is closed for comments.