Prevent DevTest Lab user from creating new Disks
Hello,
Is there a way, (other than those suggested by ChatGPT), to prevent/disable the "attach new" disk option in lab virtual machine settings?
Edited: I modified the built-in DevTest Lab User role and added the lines below to the "notActions" but still the user can add new disk.
"Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action" "Microsoft.DevTestLab/labs/users/disks/Attach/action"
Azure DevTest Labs
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-17T15:20:18.7333333+00:00 Hello, @Mas023 !
When you created a custom role, did you add or remove those actions? If those actions were added, the user would still be able to create a new disk:
Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action
Attach a new or existing data disk to virtual machine.
Microsoft.DevTestLab/labs/users/disks/Attach/action
Attach and create the lease of the disk to the virtual machine.
-
Mas023 10 Reputation points
2024-05-17T18:45:16.7833333+00:00 Hi @kobulloc-MSFT
I just realized that I made a mistake in my post. I meant to say I added those to the "notActions" of the role definition. Below is the entire role definition:
"permissions": [
{
"actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/availabilitySets/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.DevTestLab/*/read", "Microsoft.DevTestLab/labs/claimAnyVm/action", "Microsoft.DevTestLab/labs/createEnvironment/action", "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action", "Microsoft.DevTestLab/labs/formulas/delete", "Microsoft.DevTestLab/labs/formulas/read", "Microsoft.DevTestLab/labs/formulas/write", "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action", "Microsoft.DevTestLab/labs/virtualMachines/claim/action", "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action", "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/inboundNatRules/join/action", "Microsoft.Network/networkInterfaces/*/read", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/publicIPAddresses/*/read", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Web/sites/restart/Action", "Microsoft.Web/sites/start/Action", "Microsoft.Web/sites/stop/Action", "Microsoft.DBforMySQL/servers/stop/action", "Microsoft.DBforMySQL/servers/start/action", "microsoft.web/sites/config/*", "Microsoft.Web/sites/sourcecontrols/*", "Microsoft.Web/sites/slots/Write", "microsoft.web/sites/slots/deployments/delete", "microsoft.web/sites/slots/deployments/read", "microsoft.web/sites/slots/deployments/write" ], "notActions": [ "Microsoft.Compute/virtualMachines/vmSizes/read", */**** *I added these two lines but ***/* "Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action", "Microsoft.DevTestLab/labs/users/disks/Attach/action" ], "dataActions": [], "notDataActions": [] } ] }
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-17T23:39:49.07+00:00 Thank you for the clarification, @Mas023 ! Having that in
notActions
should prevent those actions. Let me confirm if there are additional actions that need to be included. -
Mas023 10 Reputation points
2024-05-21T11:03:47.5866667+00:00 I even added disk/write to noActions but still, the user can create a disk with no problem.
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-21T19:28:30.7866667+00:00 Hello, @Mas023 ! That seems like it should work but I'm looking into other permissions that may be needed while I wait to hear back from the DevTest Labs team.
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-24T04:33:55.17+00:00 Quick update: I still have not heard back from the DevTest Labs team but will be experimenting more with permissions tomorrow.
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-25T05:56:31.31+00:00 The first one you have really seems like it should be it:
Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action
Attach a new or existing data disk to virtual machine.
There's also the second one you have:
Microsoft.DevTestLab/labs/users/disks/Attach/action
Attach and create the lease of the disk to the virtual machine.
Nothing else that I see would cover add or attach for a data disk. I'm going to check custom roles to make sure that nothing has been overlooked.
Reference:
Get-AzProviderOperation -OperationSearchString "Microsoft.DevTestLab/*"
-
Mas023 10 Reputation points
2024-05-27T16:24:24.8333333+00:00 When reviewing the Activity Logs, I noticed that the action was initiated by the Lab Services rather than the user. This might be the reason why the user's permissions are bypassed (?).
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-28T08:29:10.68+00:00 Thank you, @Mas023 ! That would make sense. I'm going to do some experimentation and try to reach out to the DevTest Lab team again to see if I can pinpoint what permission needs to be addressed.
-
kobulloc-MSFT 24,406 Reputation points • Microsoft Employee
2024-05-30T05:09:45.0666667+00:00 Hello, @Mas023 !
The DevTest team just got back to me and are looking into this. I'll follow up when I learn more from them.
On my end, I confirmed that the default DevTest Labs User role is not able to attach new or existing disks for VMs that they do not create but they are able to attach new or existing disks for VMs that they create:
Unable to attach new or existing disks when a DevTest Labs User does not create the VM:
Able to attach new or existing disks when a DevTest Labs User creates the VM:
Of note, this is the permission that allows DevTest Labs Users to create VMs:
Microsoft.DevTestLab/labs/CreateEnvironment/action
Create virtual machines in a lab.
With that logic, it would be possible to modify the default user role and have the admin create VMs for the lab.
Sign in to comment