Minimal set of Azure roles required:
-----------------------------------
Role Name: Disk Encryption Set Operator for Managed Disks
Description: Provides permissions to read, write or delete disk encryption sets which are used for encrypting managed disks with customer managed keys
ID: 136d308c-0937-4a49-9bd7-edfb42adbffc

Role Name: Managed Identity Contributor
Description: Create, Read, Update, and Delete User Assigned Identity
ID: e40ec5ca-96e0-45a2-b4ff-59039f2c2b59

Role Name: Desktop Virtualization Power On Contributor
Description: Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.
ID: 489581de-a3bd-480d-9518-53dea7416b33