Manage customer account-level features and permissions

Avatar
Nerdio Product Support

Manage customer account-level features and permissions

Note: This feature is in Public Preview.

Nerdio Manager allows fine-grained control over the availability of portal features for each customer account you manage.

With the granular prerequisite model, you can enable or disable individual portal features. In addition, Nerdio Manager dynamically evaluates whether a given feature is available for the customer, based on prerequisites including billing model, available licenses and subscriptions, and app registration permissions.

If you attempt to access a feature that is unavailable to the customer account you're managing, Nerdio Manager displays an error message detailing the conditions that need to be fulfilled to make the feature available to the customer.

When you enable a given feature, Nerdio Manager requests the corresponding permission set (a combination of several Graph API permissions required for the feature to operate) in the customer's tenant.

Feature prerequisites

When managing an account that uses the granular prerequisite model at the Account level in Nerdio Manager, all features display in the left-hand navigation pane, regardless of whether they are currently enabled for the customer's account. What you see when you select a feature in the navigation pane depends on whether the feature is enabled:

  • For features that are enabled for the account, Nerdio Manager displays the normal configuration screen(s) for the feature.

  • For features that are not enabled, Nerdio Manager instead displays a list of the prerequisite conditions (deployment model, licenses, permissions, account features, and enterprise applications) that need to be met before the customer account can use the feature. Currently satisifed conditions are prefixed by a green check mark, while those that are not met are prefixed by a red exclamation mark.

    This list of outstanding items provides a guide to the remedial actions you need to take in order to enable the feature for the account. You may need to modify settings in Nerdio Manager and/or add items (subscriptions, licenses and applications) to the Azure tenant. Or, if the tenant is missing one or more of the required API permissions, follow Configure feature permission sets to add all the permissions associated with the feature.

Enable the granular prerequisite model

While it is in public preview, the granular prerequisite model is disabled for all accounts by default. To allow granular control over the features available for the customer's account, you first need to enable it.

To enable the granular prerequisite model:

  1. At the Account level, navigate to Settings Integrations.

  2. Scroll down to the Prerequisite Model tile.

  3. Select the current prerequisite model. This should be Classic if you haven't yet enabled the granular model for this customer.

  4. When prompted, select OK to enable the granular prerequisite model.

Configure feature permission sets

When the granular prerequisite model is enabled, Nerdio Manager allows you to enable or disable a feature for the customer's account, and to add or remove the corresponding permissions to the Nerdio Manager app registration in the customer's Azure tenant.

Note: For a guide to the features currently configurable in Nerdio Manager and their corresponding permission sets, see Permission sets quick reference.

To configure permission sets:

  1. At the Account level, navigate to Settings Integrations.

  2. Scroll down to the Prerequisite Model tile.

  3. Under the Permission sets heading, select Configure sets.


  4. Select the arrow beside a feature to expand its tile and view the associated permission set. Alongside each permission in the set, you'll see a green check mark icon or red cross icon.

    • The check mark icon indicates a prerequisite permission for the feature that is already met in the tenant. If a feature is currently disabled but some of its prerequisite permissions display green check marks, this is usually because the permission is also required for another feature that is enabled for the tenant.

    • The cross icon indicates a prerequisite permission for the feature that is not met in the tenant. Enabling the feature will request any permissions in the set that are not currently granted.

  5. Toggle the switch next to the feature name to enable or disable the feature.

    • Enabling a feature will add the permissions in its associated set to the Nerdio Manager app registration in the customer's Azure tenant, unless these permissions have already been granted to enable another feature.

    • Disabling a feature will remove the permissions in its associated set from the Nerdio Manager app registration in the customer's Azure tenant, unless these permissions remain in use by another feature.

  6. Select Save to save your changes and make the specified changes to the Nerdio Manager app registration.

  7. Optionally, select Refresh cache to pick up the latest permissions information from Azure and ensure that any changes have taken effect.

Permission sets quick reference

The following table lists the feature permission sets are configurable in Nerdio Manager. For more detail on the access granted by each of the permissions listed below, navigate to the Microsoft Graph permissions reference and search for the specific permission string (e.g. CloudPC.ReadWrite.All) on the page.

Per-feature permission sets

Feature

Permission set

Entra

Policy.Read.All

Policy.ReadWrite.ConditionalAccess

Windows 365 Business

CloudPC.ReadWrite.All

DeviceManagementManagedDevices.PrivilegedOperations.All

DeviceManagementManagedDevices.ReadWrite.All

DeviceManagementConfiguration.ReadWrite.All

DeviceManagementScripts.ReadWrite.All

Windows 365 Enterprise

CloudPC.ReadWrite.All

Intune

DeviceManagementRBAC.ReadWrite.All

DeviceManagementApps.ReadWrite.All

DeviceManagementConfiguration.ReadWrite.All

DeviceManagementScripts.ReadWrite.All

DeviceManagementManagedDevices.PrivilegedOperations.All

DeviceManagementManagedDevices.ReadWrite.All

DeviceManagementServiceConfig.ReadWrite.All

DeviceLocalCredential.Read.All

Application.Read.All

Defender for Endpoint

SecurityEvents.Read.All

SecurityEvents.ReadWrite.All

SecurityIncident.Read.All

IdentityRiskEvent.Read.All

AuditLog.Read.All

Vulnerability.Read.All

Machine.Read.All

Machine.ReadWrite.All

Machine.Scan

Alert.Read.All

Alert.ReadWrite.All

Machine.CollectForensics

Machine.Isolate

Machine.RestrictExecution

Machine.StopAndQuarantine

Machine.LiveResponse

SecurityRecommendation.Read.All

Defender for Office 365

Exchange.ManageAsApp

Exchange Online

MailboxSettings.ReadWrite

Exchange.ManageAsApp

Sharepoint Online

Files.ReadWrite.All

SharePointTenantSettings.ReadWrite.All

Teams

application_access

Organization.Read.All

User.Read.All

AppCatalog.ReadWrite.All

TeamSettings.ReadWrite.All

Channel.Delete.All

ChannelSettings.ReadWrite.All

ChannelMember.ReadWrite.All

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Please sign in to leave a comment.