danycontre
commented
1 month ago @apple-sauce thank you for your feedback, our general recommendation is to grant access at the subscription level, given the fact that if you do at resource group level you will need to make sure host pools and VMs are resource groups are included.
The AVD LZA does it at resource group level because we are granting RBAC access on the required resource groups of the deployment, we don't do it at subscription level because we don't own the subscription and we don't know what other resources your subscription may contain.
Are you having issues with auto scaling of your session hosts?
Please let us know if additional information is needed.
Let us know the feedback or general question
From the avd link - https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-create-assign-scaling-plan?tabs=portal#assign-the-desktop-virtualization-power-on-off-contributor-role-with-the-azure-portal
More specifically "Assigning this role at any level lower than your subscription, such as the resource group, host pool, or VM, will prevent autoscale from working properly."
After running the accelerator, we noticed that the perms for the azure virtual desktop service principal assigned the rights at the resource group level and NOT the subscription level which is what your documentation states