[Question] - Storage managed identity assigned to session hosts

[stalejohnsen]

Let us know the feedback or general question

In the current bicep modules of AVD accelerator the managed identity used for configuring fslogix storage account on the management VM is also assigned to the session hosts. Since this managed identity has storage account contributor rbac role, that also means that the end users inside the session hosts can potentially authenticate with the managed identity.

The assignment of this MI to the session hosts should be removed or clarified why it is needed.

Reference where it is assigned to session hosts: https://github.com/Azure/avdaccelerator/blob/main/workload/bicep/deploy-baseline.bicep#L1294

[danycontre]

@stalejohnsen thanks for your feedback, this bug was addressed with PR: https://github.com/Azure/avdaccelerator/pull/532

Please let us know if you have any additional feedback/comments.