Azure Virtual Desktop: Admin2's Responsibilities and RBAC Role

Admin2's Responsibilities in Azure Virtual Desktop

Prev Question Next Question

Question

Your company has an on-premises domain named azuit.com.

User identities replicate to Azure Active Directory (Azure AD) Connect with Azure AD Connect.

The company has an Azure n/w in place with no connectivity to the on-premises network.

A portion of the network configuration is below: VNet02, address space 10.0.0.0/16 Region West US 2 Users in the environment are: Admin1 Domain Admin, sourced from Windows AD Admin2 Domain Server Operator, sourced from Windows AD Cloud_User User, sourced from Azure Active Directory (Azure AD) Requirements: The single Domain Controller in Azure for user authentication Any modification should adhere to the principle of least privileges Cost is kept to a minimum Admin2 is responsible to manage the session hosts which also includes putting the session hosts in drain mode and adding and removing session hosts from the host pool. Admin2 gets the Session Host Operator RBAC role.

Does it satisfy the requirements for Admin2?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

Correct Answer: B

The Session Host Operator role allows viewing and removing the session hosts, as well as changing the drain mode.

But they can't add the session host to the host pool because of not having the write permission for host pool objects.

Reference:

To know more about Built-in roles for Azure Virtual Desktop, please visit the below-given link:

Based on the requirements provided, the solution needs to meet the following criteria:

  1. The single Domain Controller in Azure should be used for user authentication.
  2. Any modification should adhere to the principle of least privileges.
  3. Cost should be kept to a minimum.
  4. Admin2 should be able to manage the session hosts, including adding and removing them from the host pool, as well as putting them in drain mode. Admin2 should get the Session Host Operator RBAC role.

To satisfy these requirements, the following steps should be taken:

  1. Deploy a domain controller in Azure Virtual Machines and join it to the existing on-premises domain.
  2. Configure Azure AD Connect to synchronize user identities from the on-premises domain to Azure AD.
  3. Create a virtual network (VNet02) in Azure with address space 10.0.0.0/16 in the West US 2 region. This VNet should have no connectivity to the on-premises network to ensure that there is no risk of unauthorized access to the on-premises domain.
  4. Deploy the Azure Virtual Desktop infrastructure, including session hosts, into VNet02.
  5. Grant the Session Host Operator RBAC role to Admin2 to manage the session hosts. This role allows Admin2 to add and remove session hosts from the host pool, as well as put them in drain mode. The role does not grant any other permissions that are not necessary for this task.
  6. Ensure that all modifications are made according to the principle of least privilege to minimize the risk of unauthorized access and data breaches.
  7. Monitor the cost of the solution to ensure that it remains within the budget.

With the above steps, it can be concluded that the solution satisfies all the requirements listed above, including the ability of Admin2 to manage session hosts with the Session Host Operator RBAC role. Therefore, the answer is A. Yes.

Prev Question Next Question