Assign Azure RBAC roles or Microsoft Entra roles to a service principal

2025-08-14

Several Azure Virtual Desktop features require you to assign Azure role-based access control (Azure RBAC) roles or Microsoft Entra roles to a service principal. Features that you need to assign a role to a service principal include:

App Attach (when using Azure Files and your session hosts joined to Microsoft Entra ID).
Autoscale.
Session host update (preview)
Start VM on Connect.

Tip

You can find which role or roles you need to assign to which service principal in the article for each feature. For a list of all the available Azure RBAC roles created specifically for Azure Virtual Desktop, see Built-in Azure RBAC roles for Azure Virtual Desktop. To learn more about Microsoft Entra roles, see Microsoft Entra roles documentation.

When you assign Azure RBAC roles or Microsoft Entra roles to a service principal, you can choose either of the two service principal options:

Managed identity (preview) is available for host pools on Azure. Managed identities for Azure resources allows you to assign permissions to a service principal that only exists in your Entra tenant. You can use a system-assigned managed identity that is directly tied to the host pool, or a user-assigned managed identity that is an independent Azure resource and can be used for operations across multiple host pools. Learn more about managed identity types.
Important

Managed identity support for Azure Virtual Desktop host pools is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. Only the following feature can leverage the preview feature of using a managed identity:
- Session host update (preview)

Azure Virtual Desktop service principal is available for host pools in Azure and Azure local. The Azure Virtual Desktop service principle is the single-tenant identity that is created to represent the multi-tenant service in your tenant.

Depending on when you registered the Microsoft.DesktopVirtualization resource provider, the service principal names begin with either Azure Virtual Desktop or Windows Virtual Desktop. Also, if you previously used both Azure Virtual Desktop classic and Azure Virtual Desktop (Azure Resource Manager), you see apps with the same name. You can make sure you're assigning roles to the correct service principal by checking its application ID. The application ID for each service principal is in the following table:

Service principal	Application ID
Azure Virtual Desktop Windows Virtual Desktop	9cdead84-a844-4324-93f2-b2e6bb768d07
Azure Virtual Desktop Client Windows Virtual Desktop Client	a85cf173-4192-42f8-81fa-777a763e6e2c
Azure Virtual Desktop ARM Provider Windows Virtual Desktop ARM Provider	50e95039-b200-4007-bc97-8d5790743a63

This article shows you how to assign Azure RBAC roles or Microsoft Entra roles to the correct Azure Virtual Desktop service principals by using the Azure portal, Azure CLI, or Azure PowerShell.

Prerequisites

Before you can assign a role to a service principal, you need to meet the following prerequisites:

To assign Azure RBAC roles, you must have the Microsoft.Authorization/roleAssignments/write permission to an Azure subscription in order to assign roles on that subscription. This permission is part of the Owner or User Access Administrator built in roles.
To assign Microsoft Entra roles, you must have the Privileged Role Administrator or equivalent.
If you want to use Azure PowerShell or Azure CLI locally, see Use Azure CLI and Azure PowerShell with Azure Virtual Desktop to make sure you have the Az.DesktopVirtualization PowerShell module or desktopvirtualization Azure CLI extension installed. Alternatively, use the Azure Cloud Shell.

Assign an Azure RBAC role to the Azure Virtual Desktop service principal

To assign an Azure RBAC role to the Azure Virtual Desktop service principal, select the relevant tab for your scenario and follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.

Here's how to assign an Azure RBAC role to the Azure Virtual Desktop service principal scoped to a subscription using the Azure portal.

Sign in to the Azure portal.
In the search box, enter Microsoft Entra ID and select the matching service entry.
On the Overview page, in the search box for Search your tenant, enter the application ID for the service principal you want to assign from the earlier table.
In the results, select the matching enterprise application for the service principal you want to assign, starting either Azure Virtual Desktop or Windows Virtual Desktop.
Under properties, make a note of the name and the object ID. The object ID correlates to the application ID, and is unique to your tenant.
Go back to the search box, enter Subscriptions and select the matching service entry.
Select the subscription you want to add the role assignment to.
Select Access control (IAM), then select + Add followed by Add role assignment.
Select the role you want to assign to the Azure Virtual Desktop service principal, then select Next.
Ensure Assign access to is set to Microsoft Entra user, group, or service principal, then select Select members.
Enter the name of the enterprise application you made a note of earlier.
Select the matching entry from the results, then select Select. If you have two entries with the same name, select them both for now.
Review the list of members in the table. If you have two entries, remove the entry that doesn't match the object ID you made a note of earlier.
Select Next, then select Review + assign to complete the role assignment.

Here's how to assign an Azure RBAC role to the Azure Virtual Desktop service principal scoped to a subscription using the Az.DesktopVirtualization PowerShell module.

Open Azure Cloud Shell in the Azure portal with the PowerShell terminal type, or run PowerShell on your local device.
- If you're using Cloud Shell, make sure your Azure context is set to the subscription that you want to use.
- If you're using PowerShell locally, first sign in with Azure PowerShell, and then make sure your Azure context is set to the subscription that you want to use.

Find the ID of the subscription you want to add the role assignment to by listing all that are available to you with the following command:
```
Get-AzSubscription
```
Store the subscription ID in a variable by running the following command, replacing the subscription ID in this example with your own:
```
$subId = "<SubscriptionID>"
```

Assign the role to the Azure Virtual Desktop service principal by running the following command, replacing the value for the RoleDefinitionName parameter with the name of the role you need to assign, and the ApplicationId parameter with application ID of the service principal you want to assign from the earlier table. This example assigns the Desktop Virtualization Power On Off Contributor role to the Azure Virtual Desktop service principal on the subscription:

$parameters = @{
    RoleDefinitionName = "Desktop Virtualization Power On Off Contributor"
    ApplicationId = "9cdead84-a844-4324-93f2-b2e6bb768d07"
    Scope = "/subscriptions/$subId"
}

New-AzRoleAssignment @parameters

Your output should be similar to the following example:

RoleAssignmentName : c5221262-d1fa-4d32-9d60-8bd86f618d20
RoleAssignmentId   : /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/c5221262-d1fa-4d32-9d60-8bd86f618d20
Scope              : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName        : Azure Virtual Desktop
SignInName         : 
RoleDefinitionName : Desktop Virtualization Power On Off Contributor
RoleDefinitionId   : 40c5ff49-9181-41f8-ae61-143b0e78555e
ObjectId           : aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
ObjectType         : ServicePrincipal
CanDelegate        : False
Description        : 
ConditionVersion   : 
Condition          :

Here's how to assign an Azure RBAC role to the Azure Virtual Desktop service principal scoped to a subscription using the desktopvirtualization extension for Azure CLI.

Open Azure Cloud Shell in the Azure portal with the Bash terminal type, or run the Azure CLI on your local device.
- If you're using Cloud Shell, make sure your Azure context is set to the subscription that you want to use.
- If you're using the Azure CLI locally, first sign in with the Azure CLI, and then make sure your Azure context is set to the subscription that you want to use.

Find the ID of the subscription you want to add the role assignment to by listing all that are available to you with the following command:
```
az account list --output table
```
Store the value for SubscriptionId in a variable by running the following command, replacing the subscription ID in this example with your own:
```
subId=00000000-0000-0000-0000-000000000000
```

Assign the role to the Azure Virtual Desktop service principal by running the following command, replacing the value for the role parameter with the name of the role you need to assign, and the assignee parameter with application ID of the service principal you want to assign from the earlier table. This example assigns the Desktop Virtualization Power On Off Contributor role to the Azure Virtual Desktop service principal on the subscription:

az role assignment create \
    --assignee "9cdead84-a844-4324-93f2-b2e6bb768d07" \
    --role "Desktop Virtualization Power On Off Contributor" \
    --scope "/subscriptions/$subId"

Your output should be similar to the following example:

{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2023-06-22T13:50:22.978226+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/a211100e-aa52-4f8d-aac9-ad0833f969d0",
  "name": "a211100e-aa52-4f8d-aac9-ad0833f969d0",
  "principalId": "00000000-0000-0000-0000-000000000000",
  "principalType": "ServicePrincipal",
  "roleDefinitionId": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e",
  "scope": "/subscriptions/00000000-0000-0000-0000-000000000000",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "effe20b0-5afb-4e68-a5d7-f8ef9873a070",
  "updatedOn": "2023-06-22T13:50:23.335229+00:00"
}

Assign a Microsoft Entra role to the Azure Virtual Desktop service principal

To assign a Microsoft Entra role to the Azure Virtual Desktop service principal, follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.

Here's how to assign a Microsoft Entra role to the Azure Virtual Desktop service principal scoped to a tenant using the Azure portal.

Sign in to the Azure portal.
In the search box, enter Microsoft Entra ID and select the matching service entry.
Select Roles and administrators.
Search for and select the name of the role you want to assign. If you want to assign a custom role, see Create a custom role to create it first.
Select Add assignments.
In the search box, enter the application ID for the service principal you want to assign from the earlier table, for example 9cdead84-a844-4324-93f2-b2e6bb768d07.
Check the box next to the matching entry, then select Add to complete the role assignment.

Assign an Azure RBAC role to a managed identity (preview)

To assign an Azure RBAC role to a managed identity, , select the relevant link for your scenario and follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.

Assign a Microsoft Entra role to a managed identity (preview)

To assign a Microsoft Entra role to a managed identity, follow the steps. In these examples, the scope of the role assignment is an Azure subscription, but you need to use the scope and the role required by each feature.

Here's how to assign a Microsoft Entra role to a managed identity scoped to a tenant using the Azure portal.

Sign in to the Azure portal.
In the search box, enter Microsoft Entra ID and select the matching service entry.
Select Roles and administrators.
Search for and select the name of the role you want to assign. If you want to assign a custom role, see Create a custom role to create it first.
Select Add assignments.
In the search box, enter the name of the Azure resource that has the existing managed identity you want to assign:
- For a system-assigned managed identity, this is the name of the host pool.
- For a user-assigned managed identity, this is the name of the managed identity.
Check the box next to the matching entry, then select Add to complete the role assignment.

Next steps

Learn more about the built-in Azure RBAC roles for Azure Virtual Desktop.