Retrieve Assigned Users information from Windows Virtual Desktop (WVD) Application Groups

Of late, I was busy learning WVD (Windows Virtual Desktop), and I am not even reached halfway in this journey. Team asked me to write a script to pull out the assignment information from all the Windows Virtual Desktop application groups and added they used the New-AzRoleAssignment cmdlet to assign the permissions for the users. So, I thought it’s easy to pull out the details using Get-AzRoleAssignment. But it failed. With no wait, I used REST and Graph API to pull out the information. Why? The reason is simple, I used developer tools to know how the portal retrieves the information, and as expected, it is through batch operations and graph API to pull user information.

What’s wrong with Get-AzRoleAssignment?

Get-AzRoleAssignment: Exception of type ‘Microsoft.Rest.Azure.CloudException’ was thrown. Yes, this is a common issue. In my case, the solution is missing permission on Azure Active Directory. It’s news for me to know that there is no cmdlet in Az.DesktopVirtualization module to list assigned users from application groups. No need to spend more time in Az module, because we won’t use the Az module.

REST and Graph API


If you are new to Azure REST and Graph API, please make use of the documentation from Microsoft shared below.

  • Azure REST API
  • Graph API

Solution

  • Generate bearer token for the Azure REST API headers.
  • Generate bearer token for the Graph REST API headers.
  • Get the role assignments and filter by scope.
  • Retrieve user information
param (
    $SubscriptionId = "",
    $ResourceGroup = "",
    $ApplicationGroup = ""
)

#region - Azure Management Headers
$TenantID = Get-Secret -Name "Reporting-TenantID" -AsPlainText
$ClientID = Get-Secret -Name "Reporting-ClientID" -AsPlainText
$ClientSecret = Get-Secret -Name "Reporting-ClientSecret" -AsPlainText
$Result = Invoke-RestMethod -Uri https://login.microsoftonline.com/$TenantID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$ClientID"; "client_secret" = "$ClientSecret" }
$Headers = @{Authorization = "{0} {1}" -f ($result.token_type , $result.access_token)}
#endregion

#region - Graph API Token
$GraphAPI = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantID/oauth2/v2.0/token" -Method Post -Body @{"grant_type" = "client_credentials"; "scope" = "https://graph.microsoft.com/.default"; "client_id" = "$ClientID"; "client_secret" = "$ClientSecret" }
$GraphHeaders = @{Authorization = "{0} {1}" -f ($GraphAPI.token_type , $GraphAPI.access_token)}
#endregion

#region - List Assigned Users
$Uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroup)/providers/Microsoft.DesktopVirtualization/applicationgroups/$($ApplicationGroup)/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01"
$AssignedUsers = (Invoke-RestMethod -Uri $uri -Headers $Headers).value.properties  | Where-Object { $_.scope -eq "/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroup)/providers/Microsoft.DesktopVirtualization/applicationgroups/$($ApplicationGroup)" }
#endreigon


#region - Retrieve User Information
$AssignedUsers | . {
    process {
        $Body = [pscustomobject]@{
            ids = @($_.principalId)
            types = @("user", "group")
        } | ConvertTo-Json -Compress
        $UserInformation = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/directoryObjects/getByIds" -Headers $GraphHeaders -ContentType "application/json" -Method Post -Body $Body
        [pscustomobject]@{
            DisplayName = $UserInformation.value.displayName
            UserPrincipalName = $UserInformation.value.userPrincipalName
            Mail = $UserInformation.value.mail 
        }
    }
}
#endregion

Output

Windows Virtual Desktop Application Groups

About the Author Chendra Venkatesan