Koolitus
Sertimine
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Grant user permissions to specific lab policies
This article illustrates how to use PowerShell to grant users permissions to a particular lab policy. That way, permissions can be applied based on each user's needs. For example, you might want to grant a particular user the ability to change the VM policy settings, but not the cost policies.
As discussed in the Azure role-based access control (Azure RBAC) article, Azure RBAC enables fine-grained access management of resources for Azure. Using Azure RBAC, you can segregate duties within your DevOps team and grant only the amount of access to users that they need to perform their jobs.
In DevTest Labs, a policy is a resource type that enables the Azure RBAC action Microsoft.DevTestLab/labs/policySets/policies/. Each lab policy is a resource in the Policy resource type, and can be assigned as a scope to an Azure role.
For example, in order to grant users read/write permission to the Allowed VM Sizes policy, you would create a custom role that works with the Microsoft.DevTestLab/labs/policySets/policies/ action, and then assign the appropriate users to this custom role in the scope of Microsoft.DevTestLab/labs/policySets/policies/AllowedVmSizesInLab.
To learn more about custom roles in Azure RBAC, see the Azure custom roles.
In order to get started, you’ll need to install Azure PowerShell.
Once you’ve set up the Azure PowerShell cmdlets, you can perform the following tasks:
- List all the operations/actions for a resource provider
- List actions in a particular role:
- Create a custom role
The following PowerShell script illustrates examples of how to perform these tasks:
Azure PowerShell
# List all the operations/actions for a resource provider.
Get-AzProviderOperation -OperationSearchString "Microsoft.DevTestLab/*"
# List actions in a particular role.
(Get-AzRoleDefinition "DevTest Labs User").Actions
# Create custom role.
$policyRoleDef = (Get-AzRoleDefinition "DevTest Labs User")
$policyRoleDef.Id = $null
$policyRoleDef.Name = "Policy Contributor"
$policyRoleDef.IsCustom = $true
$policyRoleDef.AssignableScopes.Clear()
$policyRoleDef.AssignableScopes.Add("/subscriptions/<SubscriptionID> ")
$policyRoleDef.Actions.Add("Microsoft.DevTestLab/labs/policySets/policies/*")
$policyRoleDef = (New-AzRoleDefinition -Role $policyRoleDef)
Once you’ve defined your custom roles, you can assign them to users. In order to assign a custom role to a user, you must first obtain the ObjectId representing that user. To do that, use the Get-AzADUser cmdlet.
In the following example, the ObjectId of the SomeUser user is aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb.
Azure PowerShell
PS C:\>Get-AzADUser -SearchString "SomeUser"
DisplayName Type ObjectId
----------- ---- --------
someuser@hotmail.com aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
Once you have the ObjectId for the user and a custom role name, you can assign that role to the user with the New-AzRoleAssignment cmdlet:
Azure PowerShell
PS C:\>New-AzRoleAssignment -ObjectId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -RoleDefinitionName "Policy Contributor" -Scope /subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.DevTestLab/labs/<LabName>/policySets/default/policies/AllowedVmSizesInLab
In the previous example, the AllowedVmSizesInLab policy is used. You can use any of the following policies:
- MaxVmsAllowedPerUser
- MaxVmsAllowedPerLab
- AllowedVmSizesInLab
- LabVmsShutdown
This example script that creates the role DevTest Labs Advanced User, which has permission to start and stop all VMs in the lab:
PowerShell
$policyRoleDef = Get-AzRoleDefinition "DevTest Labs User"
$policyRoleDef.Actions.Remove('Microsoft.DevTestLab/Environments/*')
$policyRoleDef.Id = $null
$policyRoleDef.Name = "DevTest Labs Advanced User"
$policyRoleDef.IsCustom = $true
$policyRoleDef.AssignableScopes.Clear()
$policyRoleDef.AssignableScopes.Add("/subscriptions/<subscription Id>")
$policyRoleDef.Actions.Add("Microsoft.DevTestLab/labs/virtualMachines/Start/action")
$policyRoleDef.Actions.Add("Microsoft.DevTestLab/labs/virtualMachines/Stop/action")
$policyRoleDef = New-AzRoleDefinition -Role $policyRoleDef
New to Azure? Create a free Azure account.
Already on Azure? Create your first lab and get started with Azure DevTest Labs in minutes.
Once you've granted user permissions to specific lab policies, here are some next steps to consider:
Lisaressursid
Dokumentatsioon
-
Add lab owners and users with role-based access control (RBAC) - Azure DevTest Labs
Learn about the Azure DevTest Labs Owner, Contributor, and DevTest Labs User roles, and how to add members to lab roles by using the Azure portal or Azure PowerShell.