Add lab owners, contributors, and users in Azure DevTest Labs
Azure DevTest Labs uses Azure role-based access control (Azure RBAC) to define roles that have only the access necessary to do specific lab tasks. DevTest Labs has three built-in roles: Owner, Contributor, and DevTest Labs User. This article describes the tasks each role can do, and how to add members to lab roles by using the Azure portal or an Azure PowerShell script.
Actions each role can take
Lab Owner, Contributor, and DevTest Labs User roles can take the following actions in DevTest Labs:
The lab Owner role can take all of the following actions:
- Add users to the lab.
- Update cost settings.
Virtual machine (VM) base tasks:
- Add and remove custom images.
- Add, update, and delete formulas.
- Enable Marketplace images.
- Create VMs.
- Start, stop, or delete VMs.
- Update VM policies.
- Add or remove VM data disks.
- Add and remove artifact repositories.
- Apply artifacts to VMs.
The lab Contributor role can take all the same actions as lab Owner, except can't add users to labs.
DevTest Labs User
The DevTest Labs User role can take the following actions in DevTest Labs:
- Add, update, and delete VM base formulas.
- Create VMs.
- Start, stop, or delete VMs the user creates.
- Add or remove data disks from VMs the user creates.
- Apply artifacts to VMs.
Lab users automatically have the Owner role on VMs they create.
Add Owners, Contributors, or DevTest Labs Users
A lab owner can add members to lab roles by using the Azure portal or an Azure PowerShell script. The user to add can be an external user with a valid Microsoft account (MSA).
Azure permissions propagate from parent scope to child scope. Owners of an Azure subscription that contains labs are automatically owners of the subscription's DevTest Labs service, labs, and lab VMs and resources. Subscription owners can add Owners, Contributors, and DevTest Labs Users to labs in the subscription.
Added lab Owners' scope of administration is narrower than the subscription owner's scope. Added Owners don't have full access to some resources that the DevTest Labs service creates.
To add members to a lab, you must:
- Be an Owner of the lab, either directly or by inheritance as a subscription owner.
- Sign in to the Azure portal as an Owner or User Access Administrator.
Add a lab member by using the Azure portal
To add a member:
- At the subscription level, open the subscription page.
- At the lab level, open the resource group that has the lab, and select the lab from the list of resources.
In the left navigation for the subscription or lab, select Access control (IAM).
Select Add > Add role assignment.
On the Add Role Assignment page, select the Owner, Contributor, or DevTest Labs User role, and then select Next.
On the Members tab, select Select members.
On the Select members screen, select the member you want to add, and then select Select.
Select Review + assign, and after reviewing the details, select Review + assign again.
Add a DevTest Labs User to a lab by using Azure PowerShell
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
You can add a DevTest Labs User to a lab by using the following Azure PowerShell script. The script requires the user to be in the Microsoft Entra ID. For information about adding an external user to Microsoft Entra ID as a guest, see Add a new guest user. If the user isn't in Microsoft Entra ID, use the portal procedure instead.
In the following script, update the parameter values under the
# Values to change comment. You can get the
labName values from the lab's main page in the Azure portal.
# Add an external user to a lab user role in DevTest Labs. # Make sure the guest user is added to Azure AD. # Values to change $subscriptionId = "<Azure subscription ID>" $labResourceGroup = "<Lab's resource group name>" $labName = "<Lab name>" $userDisplayName = "<User's display name>" # Log into your Azure account. Connect-AzAccount # Select the Azure subscription that contains the lab. This step is optional if you have only one subscription. Select-AzSubscription -SubscriptionId $subscriptionId # Get the user object. $adObject = Get-AzADUser -SearchString $userDisplayName # Create the role assignment. $labId = ('subscriptions/' + $subscriptionId + '/resourceGroups/' + $labResourceGroup + '/providers/Microsoft.DevTestLab/labs/' + $labName) New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs User' -Scope $labId