In the current bicep modules of AVD accelerator the managed identity used for configuring fslogix storage account on the management VM is also assigned to the session hosts. Since this managed identity has storage account contributor rbac role, that also means that the end users inside the session hosts can potentially authenticate with the managed identity.
The assignment of this MI to the session hosts should be removed or clarified why it is needed.
Let us know the feedback or general question
In the current bicep modules of AVD accelerator the managed identity used for configuring fslogix storage account on the management VM is also assigned to the session hosts. Since this managed identity has storage account contributor rbac role, that also means that the end users inside the session hosts can potentially authenticate with the managed identity.
The assignment of this MI to the session hosts should be removed or clarified why it is needed.
Reference where it is assigned to session hosts: https://github.com/Azure/avdaccelerator/blob/main/workload/bicep/deploy-baseline.bicep#L1294