Prevent DevTest Lab user from creating new Disks

Mas023 40

Hello,

Is there a way, (other than those suggested by ChatGPT), to prevent/disable the "attach new" disk option in lab virtual machine settings?

Edited: I modified the built-in DevTest Lab User role and added the lines below to the "notActions" but still the user can add new disk.

"Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action" "Microsoft.DevTestLab/labs/users/disks/Attach/action"

Screenshot 2024-05-17 at 15.13.13

kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-17T15:20:18.7333333+00:00

Hello, @Mas023 !

When you created a custom role, did you add or remove those actions? If those actions were added, the user would still be able to create a new disk:

https://learn.microsoft.com/en-us/rest/api/dtl/provider-operations/list?view=rest-dtl-2018-09-15&tabs=HTTP

Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action

Attach a new or existing data disk to virtual machine.

Microsoft.DevTestLab/labs/users/disks/Attach/action

Attach and create the lease of the disk to the virtual machine.

Mas023 40

Hi @kobulloc-MSFT

I just realized that I made a mistake in my post. I meant to say I added those to the "notActions" of the role definition. Below is the entire role definition:

"permissions": [

{

            "actions": [

                "Microsoft.Authorization/*/read",

                "Microsoft.Compute/availabilitySets/read",

                "Microsoft.Compute/virtualMachines/*/read",

                "Microsoft.Compute/virtualMachines/deallocate/action",

                "Microsoft.Compute/virtualMachines/read",

                "Microsoft.Compute/virtualMachines/restart/action",

                "Microsoft.Compute/virtualMachines/start/action",

                "Microsoft.DevTestLab/*/read",

                "Microsoft.DevTestLab/labs/claimAnyVm/action",

                "Microsoft.DevTestLab/labs/createEnvironment/action",

                "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",

                "Microsoft.DevTestLab/labs/formulas/delete",

                "Microsoft.DevTestLab/labs/formulas/read",

                "Microsoft.DevTestLab/labs/formulas/write",

                "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",

                "Microsoft.DevTestLab/labs/virtualMachines/claim/action",

                "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",

                "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",

                "Microsoft.Network/loadBalancers/backendAddressPools/join/action",

                "Microsoft.Network/loadBalancers/inboundNatRules/join/action",

                "Microsoft.Network/networkInterfaces/*/read",

                "Microsoft.Network/networkInterfaces/join/action",

                "Microsoft.Network/networkInterfaces/read",

                "Microsoft.Network/networkInterfaces/write",

                "Microsoft.Network/publicIPAddresses/*/read",

                "Microsoft.Network/publicIPAddresses/join/action",

                "Microsoft.Network/publicIPAddresses/read",

                "Microsoft.Network/virtualNetworks/subnets/join/action",

                "Microsoft.Resources/deployments/operations/read",

                "Microsoft.Resources/deployments/read",

                "Microsoft.Resources/subscriptions/resourceGroups/read",

                "Microsoft.Storage/storageAccounts/listKeys/action",

                "Microsoft.Web/sites/restart/Action",

                "Microsoft.Web/sites/start/Action",

                "Microsoft.Web/sites/stop/Action",

                "Microsoft.DBforMySQL/servers/stop/action",

                "Microsoft.DBforMySQL/servers/start/action",

                "microsoft.web/sites/config/*",

                "Microsoft.Web/sites/sourcecontrols/*",

                "Microsoft.Web/sites/slots/Write",

                "microsoft.web/sites/slots/deployments/delete",

                "microsoft.web/sites/slots/deployments/read",

                "microsoft.web/sites/slots/deployments/write"

            ],

            "notActions": [

                "Microsoft.Compute/virtualMachines/vmSizes/read",

               */**** *I added these two lines but ***/*

                "Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action",

                "Microsoft.DevTestLab/labs/users/disks/Attach/action"

            ],

            "dataActions": [],

            "notDataActions": []

        }

    ]

}

kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-17T23:39:49.07+00:00

Thank you for the clarification, @Mas023 ! Having that in notActions should prevent those actions. Let me confirm if there are additional actions that need to be included.
Mas023 40 Reputation points

2024-05-21T11:03:47.5866667+00:00

I even added disk/write to noActions but still, the user can create a disk with no problem.
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-21T19:28:30.7866667+00:00

Hello, @Mas023 ! That seems like it should work but I'm looking into other permissions that may be needed while I wait to hear back from the DevTest Labs team.
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-24T04:33:55.17+00:00

Quick update: I still have not heard back from the DevTest Labs team but will be experimenting more with permissions tomorrow.
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-25T05:56:31.31+00:00

The first one you have really seems like it should be it:

Microsoft.DevTestLab/labs/virtualMachines/AddDataDisk/action

Attach a new or existing data disk to virtual machine.

There's also the second one you have:

Microsoft.DevTestLab/labs/users/disks/Attach/action

Attach and create the lease of the disk to the virtual machine.

Nothing else that I see would cover add or attach for a data disk. I'm going to check custom roles to make sure that nothing has been overlooked.

Reference:

Get-AzProviderOperation -OperationSearchString "Microsoft.DevTestLab/*"
Mas023 40 Reputation points

2024-05-27T16:24:24.8333333+00:00

@kobulloc-MSFT

When reviewing the Activity Logs, I noticed that the action was initiated by the Lab Services rather than the user. This might be the reason why the user's permissions are bypassed (?).
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-28T08:29:10.68+00:00

Thank you, @Mas023 ! That would make sense. I'm going to do some experimentation and try to reach out to the DevTest Lab team again to see if I can pinpoint what permission needs to be addressed.
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-05-30T05:09:45.0666667+00:00

Hello, @Mas023 !

The DevTest team just got back to me and are looking into this. I'll follow up when I learn more from them.

On my end, I confirmed that the default DevTest Labs User role is not able to attach new or existing disks for VMs that they do not create but they are able to attach new or existing disks for VMs that they create:

Unable to attach new or existing disks when a DevTest Labs User does not create the VM:

Able to attach new or existing disks when a DevTest Labs User creates the VM:

Of note, this is the permission that allows DevTest Labs Users to create VMs:

Microsoft.DevTestLab/labs/CreateEnvironment/action

Create virtual machines in a lab.

With that logic, it would be possible to modify the default user role and have the admin create VMs for the lab.
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-06-04T06:37:52.42+00:00

Hello, @Mas023 !

I'll be able to give this a closer look in the morning but I heard back from the Azure DevTest Labs team. They said that Lab users will automatically be assigned the Owner role on VMs that they create. This will grant permission to attach and add a data disk and is not overridden when assigning NotActions in a custom role. To restrict access, you would need to us Azure Policy. The following is an untested example of a policy definition:

{

"if": {

"allOf": [

{

"field": "type",

"equals": "Microsoft.Compute/virtualMachines"

},

{

"field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*]",

"exists": "true"

}

]

},

"then": {

"effect": "deny"

}

}
kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-06-17T18:33:37.5933333+00:00

Hello, @Mas023 !

I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Accepted answer

kobulloc-MSFT 26,341 Reputation points Microsoft Employee

2024-06-13T22:25:05.4566667+00:00
Hello, @Mas023 ! Thank you for your patience while we confirmed the functionality of the custom policy.

How do I prevent a DevTest Labs user from add or modifying disks?

Lab users will automatically be assigned the Owner role on VMs that they create. This will grant permission to attach and add a data disk and is not overridden when assigning NotActions in a custom role.

The question then becomes, "Can we prevent Owners from adding or modifying disks?"

This can be done using Azure policy although we should note that this custom policy will affect all owners and not just Azure DevTest Lab users. Using this custom policy will require selective enabling/disabling to accomplish your goals:

"if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "field": "Microsoft.Compute/virtualMachines/storageProfile.dataDisks[*]", "exists": "true" } ] }, "then": { "effect": "deny" } }

Attempts to attach a disk will result in a failed attempt due to the customer Azure Policy:

Creating the custom policy:

I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Prevent DevTest Lab user from creating new Disks

0 additional answers

Your answer