Add owners and users in Azure DevTest Labs
Access in Azure DevTest Labs is controlled by Azure Role-Based Access Control (RBAC). Using RBAC, you can segregate duties within your team into roles where you grant only the amount of access necessary to users to perform their jobs. Three of these RBAC roles are Owner, DevTest Labs User, and Contributor. In this article, you learn what actions can be performed in each of the three main RBAC roles. From there, you learn how to add users to a lab - both via the portal and via a PowerShell script, and how to add users at the subscription level.
Actions that can be performed in each role
There are three main roles that you can assign a user:
- DevTest Labs User
The following table illustrates the actions that can be performed by users in each of these roles:
|Actions users in this role can perform||DevTest Labs User||Owner||Contributor|
|Add users to a lab||No||Yes||No|
|Update cost settings||No||Yes||Yes|
|VM base tasks|
|Add and remove custom images||No||Yes||Yes|
|Add, update, and delete formulas||Yes||Yes||Yes|
|Whitelist Azure Marketplace images||No||Yes||Yes|
|Start, stop, and delete VMs||Only VMs created by the user||Yes||Yes|
|Update VM policies||No||Yes||Yes|
|Add/remove data disks to/from VMs||Only VMs created by the user||Yes||Yes|
|Add and remove artifact repositories||No||Yes||Yes|
When a user creates a VM, that user is automatically assigned to the Owner role of the created VM.
Add an owner or user at the lab level
Owners and users can be added at the lab level via the Azure portal. A user can be an external user with a valid Microsoft account (MSA). The following steps guide you through the process of adding an owner or user to a lab in Azure DevTest Labs:
- Sign in to the Azure portal.
- Select All services, and then select DevTest Labs from the list.
- From the list of labs, select the desired lab.
- On the lab's blade, select Configuration and policies.
- On the Configuration and policies page, select Access control (IAM) from the menu on the left.
- Select Add role assignment on the toolbar to add a user to a role.
- In the Add permissions window, do the following actions:
- Select a role (for example: DevTest Labs User). The section Actions that can be performed in each role lists the various actions that can be performed by users in the Owner, DevTest User, and Contributor roles.
- Select the user to be added to the role.
- Select Save.
- When you return to the Users blade, the user has been added.
Add an external user to a lab using PowerShell
This article has been updated to use the new Azure PowerShell Az module. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For installation instructions, see Install Azure PowerShell.
In addition to adding users in the Azure portal, you can add an external user to your lab using a PowerShell script.
In the following example, modify the parameter values under the Values to change comment.
You can retrieve the
labName values from the lab blade in the Azure portal.
The sample script assumes that the specified user has been added as a guest to the Active Directory, and will fail if that is not the case. To add a user not in the Active Directory to a lab, use the Azure portal to assign the user to a role as illustrated in the section, Add an owner or user at the lab level.
# Add an external user in DevTest Labs user role to a lab # Ensure that guest users can be added to the Azure Active directory: # https://azure.microsoft.com/documentation/articles/active-directory-create-users/#set-guest-user-access-policies # Values to change $subscriptionId = "<Enter Azure subscription ID here>" $labResourceGroup = "<Enter lab's resource name here>" $labName = "<Enter lab name here>" $userDisplayName = "<Enter user's display name here>" # Log into your Azure account Connect-AzAccount # Select the Azure subscription that contains the lab. # This step is optional if you have only one subscription. Select-AzSubscription -SubscriptionId $subscriptionId # Retrieve the user object $adObject = Get-AzADUser -SearchString $userDisplayName # Create the role assignment. $labId = ('subscriptions/' + $subscriptionId + '/resourceGroups/' + $labResourceGroup + '/providers/Microsoft.DevTestLab/labs/' + $labName) New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs User' -Scope $labId
Add an owner or user at the subscription level
Azure permissions are propagated from parent scope to child scope in Azure. Therefore, owners of an Azure subscription that contains labs are automatically owners of those labs. They also own the VMs and other resources created by the lab's users, and the Azure DevTest Labs service.
You can add additional owners to a lab via the lab's blade in the Azure portal. However, the added owner's scope of administration is more narrow than the subscription owner's scope. For example, the added owners do not have full access to some of the resources that are created in the subscription by the DevTest Labs service.
To add an owner to an Azure subscription, follow these steps:
Sign in to the Azure portal.
Select All Services, and then select Subscriptions from the list.
Select the desired subscription.
Select Access icon.
On the Users blade, select Add.
On the Select a role blade, select Owner.
On the Add users blade, enter the email address or name of the user you want to add as an owner. If the user can't be found, you get an error message explaining the issue. If the user is found, that user is listed under the User text box.
Select the located user name.
Select OK to close the Add access blade.
When you return to the Users blade, the user has been added as an owner. This user is now an owner of any labs created under this subscription, and thus is able to perform owner tasks.
Get started with Azure DevTest Labs
New to Azure? Create a free Azure account.
Already on Azure? Get started with your first lab in DevTest Labs.
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.