| title | Add and configure lab users with role-based access control (RBAC) |
|---|---|
| description | Learn about the Azure DevTest Labs Owner, Contributor, and DevTest Labs User roles, and how to add members to lab roles by using the Azure portal or Azure PowerShell. |
| ms.topic | how-to |
| ms.author | rosemalcolm |
| author | RoseHJM |
| ms.date | 03/26/2025 |
| ms.custom | devx-track-azurepowershell, UpdateFrequency2 |
Azure DevTest Labs has three built-in roles: Owner, Contributor, and DevTest Labs User, that define the access necessary to do specific lab tasks. Lab owners use Azure role-based access control (RBAC) to add lab users with assigned roles. This article lists the tasks each role can do, and describes how Lab Owners can add members to lab roles by using the Azure portal or an Azure PowerShell script.
The following table shows the actions that the DevTest Labs Owner, Contributor, and DevTest Labs User roles can take.
| Action | Owner | Contributor | DevTest Labs User |
|---|---|---|---|
| Lab tasks | |||
| Create labs. | X | X | |
| Add users to labs. | X | ||
| Configure user settings and roles. | X | ||
| Update lab virtual machine (VM) policies. | X | X | |
| Update cost settings. | X | X | |
| VM base tasks | |||
| Enable Marketplace images. | X | X | |
| Add, update, and delete VM base formulas. | X | X | X |
| Add and remove custom images. | X | X | |
| Add, update, and delete formulas. | X | X | |
| Individual VM tasks | |||
| Create VMs. | X | X | X |
| Start, stop, or delete owned VMs. | X | X | X |
| Add or remove VM data disks. | X | X | X |
| Artifact and template tasks | |||
| Add and remove lab artifact and template repositories. | X | X | |
| Create artifacts and templates. | X | X | X |
| Apply artifacts to owned VMs. | X | X | X |
Note
Lab users automatically have the Owner role on VMs they create.
Azure permissions propagate from parent scope to child scope. Owners of an Azure subscription that contains labs are automatically Owners of the subscription's labs.
Azure subscription Owners and User Access Administrators can add and assign DevTest Labs Owners, Contributors, and DevTest Labs Users to labs in their subscriptions. Azure subscription Contributors can create labs, but they're Owners of those labs only if a subscription Owner or User Access Administrator assigns them the lab Owner role.
Lab users that are granted the Owner role can add and assign Owners, Contributors, and DevTest Labs Users for their own labs. However, added lab owners have a narrower scope of administration than Azure subscription-based owners. Added owners don't have full access to some resources that the DevTest Labs service creates.
- You must be a lab Owner, either by assignment from a subscription owner or by inheritance as a subscription owner.
- The user to be added must have a valid Microsoft account. They don't need an Azure subscription.
- You must be a lab Owner, either by assignment from a subscription owner or by inheritance as a subscription owner.
- The user to add must have a valid Microsoft account. They don't need an Azure subscription.
- This PowerShell script requires the added user to be in the Microsoft Entra ID. You can add an external user to Microsoft Entra ID as a guest. For more information, see Add a new guest user. If you can't add the user to Microsoft Entra ID, use the portal procedure instead.
- You need access to Azure PowerShell. You can either:
- Use Azure Cloud Shell. Be sure to select the PowerShell environment in Cloud Shell.
- Install Azure PowerShell to use on a physical or virtual machine. If necessary, run
Update-Module -Name Azto update your installation.
Lab Owners can add members to lab roles by using the Azure portal or an Azure PowerShell script.
The following procedure adds a user to a lab with DevTest Labs User role. If you're an owner of the Azure subscription the lab is in, you can also do this procedure from the subscription's Access control (IAM) page.
-
On the lab's home page, select Configuration and policies from the left navigation.
-
On the Configuration and policies page, select Access control (IAM) from the left navigation.
-
Select Add > Add role assignment or select the Add role assignment button.
:::image type="content" source="media/devtest-lab-add-devtest-user/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows an access control (IAM) page with the role assignment menu open.":::
-
On the Add role assignment page, search for and select the DevTest Labs User role, and then select Next.
:::image type="content" source="media/devtest-lab-add-devtest-user/add-role-assignment-role-generic.png" alt-text="Screenshot that shows the role assignment page with the DevTest Labs User role selected.":::
-
On the Members tab, select Select members.
-
On the Select members screen, search for and select the members you want to add, and then select Select.
-
Select Review + assign, and after reviewing the details, select Review + assign again to add the members.
The following PowerShell script adds a user to a lab with DevTest Labs User role. To use the script, replace the parameter values under the # Values to change comment with your own values. You can get the subscriptionId, labResourceGroup, and labName values from the lab's main page in the Azure portal.
# Values to change
$subscriptionId = "<Azure subscription ID>"
$labResourceGroup = "<Lab resource group name>"
$labName = "<Lab name>"
$userDisplayName = "<User display name>"
# Sign into your Azure account.
Connect-AzAccount
# Select the Azure subscription that contains the lab. This step is optional if you have only one subscription.
Select-AzSubscription -SubscriptionId $subscriptionId
# Get the user object.
$adObject = Get-AzADUser -SearchString $userDisplayName
# Create the role assignment.
$labId = ('/subscriptions/' + $subscriptionId + '/resourceGroups/' + $labResourceGroup + '/providers/Microsoft.DevTestLab/labs/' + $labName)
New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs User' -Scope $labId