I’ve described very in general what DevTest Labs policies are in previous blog post Quick overview of Azure DevTest Labs. Access for DevTest Labs is controlled by Azure Role-Based Access Control (RBAC).
If you are the owner of specific Lab you can apply security access setting by two lab roles: Owner and User DevTest Lab Role. The Owner role has a full access including management and monitoring functions. Here is very important to emphasize the importance between those roles in lab. If the owner has assigned User lab role, this role doesn’t have the permissions to access resources in the subscription outside the lab scope. But in the opposite case, when the User is assigned to Owner role, he can automatically have the Owner rights to all created resources in that subscription.
User role is very limited. This role can only create VM’s, delete only his VM’s and connect only to his created VM’s.
This post will describe step by step tutorial for setting DevTest Labs security settings and detailed description of role functionalities.
Step 1: Add new User in DevTest Labs
User can be either internal user with Azure Active Directory subscription or external, which doesn’t have Azure Active Directory subscription.
1. In your Lab click on Settings.
2. From the list of users, choose Users to add a new user.
3. Click on the Add button.
4. In Add Access blade click on Select a role.
5. In Select a role blade click on DevTest Lab User.
6. When new blade appear click on Add Users.
7. Type the email address of the User, which can be also external user as long as he has valid Microsoft Account.
8. If this user has a valid Microsoft Account, the system will validate and it will be colored in blue color. Click on the blue user and confirm the entry by clicking on Select button.
Step 2: Add Owner in DevTest Labs
DevTeb Labs does not allow to add the Owner role at the lab level as this is not currently supported. To add the Owner role, you will have to add it in Subscriptions of the lab. The Owner role has the full access to the all management and other functionalities in the lab.
1. Navigate to Subscriptions of the lab.
2. Choose the right Subscription from the list.
3. Navigate to Settings.
4. Click on Users to add a new user.
5. Click on Add button.
6. In Add access blade click on Select a Role.
7. In Select a role blade click on Owner.
8. In Add access blade click on Add users.
9. Type the e-mail address of Owner.
10. If this user has a valid Microsoft Account, the system will validate and it will be colored in blue color. Click on the blue user and confirm the entry by clicking on Select button.
You can secure your lab by adding and defining different roles. It is important to know also that the user that created VM gets automatically assigned to the Owner role on the created VM. This user can then all the actions that are offered in the lab. However, the creation of Virtual Machine is only allowed from the DevTest Labs account.