This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 59%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E1%3C/text%3E%3C/svg%3E)
I have two users, user A and user B, both are devtestlab role. why user A had claim the vm, and user B still able to browser connect to it?
If a person claim a VM and forgot to unclaim?
Other users all cannot claim it ? Even if a person claim , others still can login ?
Also is there a way to disable the All resources option for devtestuser role?
Do you have any updates on this situation? it's been several days!!! I thought I made it very clear as you can see from the screenshots?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @11215 , please check the comments under your first answer. I have replied under the same conversation. Thanks :)
I am checking and will forward if the answer can be accepted. Thanks
Sure @11215 , thanks!
can anyone forward any updates on this question?
Hi @11215 ,
Thanks for posting your query on Microsoft QnA. Firstly, apologies for the delay in response.
As you mentioned, both the users A and B have devtestlab role. Now, if user A has claimed a VM (let's say VM1), then the VM1 is removed from the 'Claimable virtual machines' section for both user A and B, and it is moved to user A's 'My virtual machines' section.
Since user A has claimed VM1, user B will not be able to see VM1 under Claimable virtual machines anymore, and neither will he be able to see it under 'My virtual machines'.
If one user has claimed a particular VM, no other user can claim it, unless the same user unclaims it and the VM is moved back to the Claimable pool of virtual machines. However, any user who has the .rdp file to the VM, and knows the username and password for the local administrator account (for the VM) can connect to the VM via rdp. This has got nothing to do with the VM claim. It's just that some user got hold of the rdp file and is using it to connect to the VM.
Hope this clears your doubt.
You can place your DevTest lab under one dedicated resource group, and then assign devtest user role to the users of your organization who will be accessing the lab environment. I think that will help?
Please feel free to reach back for any questions you might have and I shall be happy to answer them.
Please refer to the below screenshots of my lab for better understanding. I had created 2 users - 'Chris' and 'hibohra' in my own Azure AD and assigned them devtest user role. The DevTest lab consists of only 1 VM named vm-devtestlab, and the user 'Chris' has claimed the VM, so it shows under 'My virtual machines' section for him.
Whereas, the user 'hibohra' did not claim any VM, so neither is he able to view the vm-devtestlab under 'Claimable virtual machines', nor is he able to view the VM under 'My virtual machines'. However, if 'hibohra' has the rdp file to the VM, he will be able to connect to it. Refer below.
--------------------------------------------------------------
Please don't forget to 
and 
if you think the information provided was useful so that it can help others in the community looking for help on similar issues.
Here are the screenshots that what I am experiencing:
1) VM which claim by me.
2) Under claimable VM, it show nothing (which is correct) as all the VMs were claimed.
3) When I navigate to All resources, would be able to see all the VM regardless whether if it was claimed by me or not.
4) I could select any vm and browser connect regardless whether if it was claimed by me or not.
As you can see from screenshot 3 and 4, is the “All Resources” which allow all any users to select the vm regardless whether if it was claimed by them or not.
Is there any RBAC/ roles or permissions which does not allow user to access the “All Resources”?
Hello @11215 , I myself did a repro of this in my environment. So, my understanding is, since the RBAC role for the users is assigned at the resource group level, that is why all the DevTest lab users are able to see all the VMs under All Resources. This is because this role has the Read permission to the VMs created in the lab. Creating a custom role I don't think will help here as roles will still be assigned to users at the resource group level, and assigning roles at individual resource (VM level scope) will not fulfill/satisfy the purpose behind using DevTest labs. I guess at this point, making it clear to the students to only check and claim the VMs from the claimable pool visible to them and working on the VM that they have individually claimed is how Devtest labs operate, and this is by design.
Individual 1:1 access to VM and user can be given, by assigning appropriate RBAC roles at the VM level, but I am not sure how much will that help in your scenario here. Let me know if you have any further questions, or if there is any other way I can help here.
RBAC roles can be assigned to wither a management group, subscription, resource group, or resource. So, in this scenario it is not feasible to assign users roles with which they will not be able to access 'All resources'.
Meaning even if a A claims the VM, B is still able to login to it, then how do I control
@11215 , it is by design. The users accessing the lab need to only login or RDP to the VM they have claimed. They can RDP to other VMs by viewing it from All Resources, but the design of Devtest labs is such. So, in this case if you are looking at providing a dedicated VM to each user where strictly one user should not be able to RDP to another user's claimed VM (and if you suspect that the users might do so), then I'll request you to look at other options of assigning dedicated VMs to each user.
As you can see below, here is the built-in role for DevTest Lab User.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles?msclkid=f25eef9daac611ec923bc63a6d0efca7#devtest-labs-user
It contains the ability to read all properties under a lab at the scope it is assigned. This is by design. I have checked the same internally with the DevTest Labs product team as well. Please let me know if you have any further queries.
even if a A claims the VM, B is still able to login to it, then how do I control ?
Can I get any updates?
Hi @11215 , thanks for reaching back. I will repro this in my environment and get back to you after some research. Thanks.