Add lab owners, contributors, and users in Azure DevTest Labs

Azure DevTest Labs uses Azure role-based access control (Azure RBAC) to define roles that have only the access necessary to do specific lab tasks. DevTest Labs has three built-in roles: Owner, Contributor, and DevTest Labs User. This article describes the tasks each role can do, and how to add members to lab roles by using the Azure portal or an Azure PowerShell script.

Actions each role can take

Lab Owner, Contributor, and DevTest Labs User roles can take the following actions in DevTest Labs:


The lab Owner role can take all of the following actions:

Lab tasks:

  • Add users to the lab.
  • Update cost settings.

Virtual machine (VM) base tasks:

  • Add and remove custom images.
  • Add, update, and delete formulas.
  • Enable Marketplace images.

VM tasks:

  • Create VMs.
  • Start, stop, or delete VMs.
  • Update VM policies.
  • Add or remove VM data disks.

Artifact tasks:

  • Add and remove artifact repositories.
  • Apply artifacts to VMs.


The lab Contributor role can take all the same actions as lab Owner, except can't add users to labs.

DevTest Labs User

The DevTest Labs User role can take the following actions in DevTest Labs:

  • Add, update, and delete VM base formulas.
  • Create VMs.
  • Start, stop, or delete VMs the user creates.
  • Add or remove data disks from VMs the user creates.
  • Apply artifacts to VMs.


Lab users automatically have the Owner role on VMs they create.

Add Owners, Contributors, or DevTest Labs Users

A lab owner can add members to lab roles by using the Azure portal or an Azure PowerShell script. The user to add can be an external user with a valid Microsoft account (MSA).

Azure permissions propagate from parent scope to child scope. Owners of an Azure subscription that contains labs are automatically owners of the subscription's DevTest Labs service, labs, and lab VMs and resources. Subscription owners can add Owners, Contributors, and DevTest Labs Users to labs in the subscription.


Added lab Owners' scope of administration is narrower than the subscription owner's scope. Added Owners don't have full access to some resources that the DevTest Labs service creates.


To add members to a lab, you must:

Add a lab member by using the Azure portal

To add a member:

  • At the subscription level, open the subscription page.
  • At the lab level, open the resource group that has the lab, and select the lab from the list of resources.
  1. In the left navigation for the subscription or lab, select Access control (IAM).

  2. Select Add > Add role assignment.

    Screenshot that shows an access control (IAM) page with the Add role assignment menu open.

  3. On the Add Role Assignment page, select the Owner, Contributor, or DevTest Labs User role, and then select Next.

    Screenshot that shows the Add role assignment page with the Role tab selected.

  4. On the Members tab, select Select members.

  5. On the Select members screen, select the member you want to add, and then select Select.

  6. Select Review + assign, and after reviewing the details, select Review + assign again.

Add a DevTest Labs User to a lab by using Azure PowerShell


We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

You can add a DevTest Labs User to a lab by using the following Azure PowerShell script. The script requires the user to be in the Microsoft Entra ID. For information about adding an external user to Microsoft Entra ID as a guest, see Add a new guest user. If the user isn't in Microsoft Entra ID, use the portal procedure instead.

In the following script, update the parameter values under the # Values to change comment. You can get the subscriptionId, labResourceGroup, and labName values from the lab's main page in the Azure portal.

# Add an external user to a lab user role in DevTest Labs.
# Make sure the guest user is added to Azure AD.

# Values to change
$subscriptionId = "<Azure subscription ID>"
$labResourceGroup = "<Lab's resource group name>"
$labName = "<Lab name>"
$userDisplayName = "<User's display name>"

# Log into your Azure account.

# Select the Azure subscription that contains the lab. This step is optional if you have only one subscription.
Select-AzSubscription -SubscriptionId $subscriptionId

# Get the user object.
$adObject = Get-AzADUser -SearchString $userDisplayName

# Create the role assignment. 
$labId = ('subscriptions/' + $subscriptionId + '/resourceGroups/' + $labResourceGroup + '/providers/Microsoft.DevTestLab/labs/' + $labName)
New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs User' -Scope $labId

Next steps