Use policies to audit and manage Azure Lab Services

Important

Azure Lab Services will be retired on June 28, 2027. For more information, see the retirement guide.

When teams create and run labs on Azure Lab Services, they might face varying requirements to the configuration of resources. Administrators might look for options to control cost, provide customization through templates, or restrict user permissions.

As a platform administrator, you can use policies to lay out guardrails for teams to manage their own resources. Azure Policy helps audit and govern resource state. In this article, you learn about available auditing controls and governance practices for Azure Lab Services.

Note

This article references features available in lab plans, which replaced lab accounts.

Policies for Azure Lab Services

Azure Policy is a governance tool that allows you to ensure that Azure resources are compliant with your policies.

Azure Lab Services provides a set of policies that you can use for common scenarios with Azure Lab Services. You can assign these policy definitions to your existing subscription or use them as the basis to create your own custom definitions.

Policies can be set at different scopes, such as at the subscription or resource group level. For more information, see the Azure Policy documentation.

For a full list of built-in policies, including policies for Lab Services, see Azure Policy built-in policy definitions.

Lab Services should enable all options for auto shutdown

This policy enforces that all shutdown options are enabled while creating the lab.

During policy assignment, lab administrators can choose the following effects:

Effect Behavior
Audit Labs will show on the compliance dashboard as non-compliant when all shutdown options aren't enabled for a lab.
Deny Lab creation will fail if all shutdown options aren't enabled.

Lab Services should not allow template virtual machines for labs

You can use this policy to restrict customization of lab templates. When you create a new lab, you can choose to Create a template virtual machine or Use virtual machine image without customization. If this policy is enabled, only Use virtual machine image without customization is allowed.

During policy assignment, lab administrators can choose the following effects:

Effect Behavior
Audit Labs will show on the compliance dashboard as non-compliant when a template virtual machine is used for a lab.
Deny Lab creation will fail if Create a template virtual machine option is used for a lab.

Lab Services requires non-admin user for labs

Use this policy to enforce using non-admin accounts while creating a lab. With lab plans, you can choose to add a non-admin account to the VM image. This new feature allows you to keep separate credentials for VM admin and non-admin users.

During the policy assignment, the lab administrator can choose the following effects:

Effect Behavior
Audit Labs show on the compliance dashboard as non-compliant when non-admin accounts aren't used while creating the lab.
Deny Lab creation will fail if Give lab users a non-admin account on their virtual machines isn't checked while creating a lab.

Lab Services should restrict allowed virtual machine SKU sizes

This policy enforces which SKUs can be used while creating a lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs, since they aren't needed for any classes being taught.

During the policy assignment, the Lab Administrator can choose the following effects:

Effect Behavior
Audit Labs show on the compliance dashboard as non-compliant when a non-allowed SKU is used while creating the lab.
Deny Lab creation will fail if the selected SKU while creating a lab isn't allowed as per the policy assignment.

Assigning built-in policies

To view the built-in policy definitions related to Azure Lab Services, use the following steps:

  1. Go to Azure Policy in the Azure portal.
  2. Select Definitions.
  3. For Type, select Built-in, and for Category, select Lab Services.

From here, you can select policy definitions to view them. While viewing a definition, you can use the Assign link to assign the policy to a specific scope, and configure the parameters for the policy. For more information, see Assign a policy - portal.

You can also assign policies by using Azure PowerShell, Azure CLI, and templates.

Custom policies

In addition to the new built-in policies described above, you can create and apply custom policies. This technique is helpful in situations where none of the built-in policies apply or where you need more granularity.

Learn how to create custom policies:

Next steps