Azure Lab Services Blog articles

Azure Lab Services - lab plan outage - April 15, 2025

agopinathan — Tue, 15 Apr 2025 15:40:03 GMT

Hello,

Azure Lab Services is currently experiencing an outage affecting customers using Lab Plans for their service. Customers using Lab Accounts are not affected. This issue impacts all operations across all regions.

The root cause has been identified, and a hotfix is being rolled out. We expect service to be fully restored by the end of the business day (CDT) on April 15, 2025. We will provide updates about the outage in this blog post until the issue is fully resolved.

Azure Lab Services - performance issues in UK South region - January 21, 2025

Stan_Ageev — Tue, 21 Jan 2025 21:02:29 GMT

We are currently experiencing performance issues in the UK South region. That may cause some operations to take longer than usual to complete. This delay can result in certain virtual machines becoming stuck in the starting or stopping state.

Our engineering team is actively working on mitigating the issue and has started rolling out several changes aimed at improving performance. We are also closely monitoring the region and unblocking affected virtual machines as soon as any issues are detected.

For new labs, we recommend selecting a different region (other than UK South) until the issue is fully resolved. We will provide the next status update by January 24, 2025.

We sincerely apologize for any inconvenience this may cause and deeply appreciate your understanding and patience as we work to restore optimal performance. Thank you for choosing our services.

Azure Lab Services - Upcoming maintenance update on February 8, 2025

yixiaoli — Wed, 08 Jan 2025 21:12:51 GMT

Hello all,

On February 8, 2025, we will be updating Lab Account Service between 2:00 PM - 11:00 PM UTC.

This maintenance will only affect the Lab Account Service not Lab Plan Service. Please expect downtime for most common operations like create/ update/ delete labs, start/stop virtual machines etc. The Lab Account service will be available after the update. Thank you for your patience.

Refer to this blog post for the latest update on this maintenance.

- Lab Services team.

Azure Lab Services - Upcoming maintenance update on October 12, 2024

Fawad_Khan — Thu, 12 Sep 2024 17:52:35 GMT

Hello all,

On October 12th, 2024, we will be updating our system between 7:00 AM and 6:00 PM CST. This maintenance will only affect the creation of new Canvas labs or the management of existing Canvas labs through our service. The Canvas labs functionality will be available again after the update.

Refer to this blog post for the latest update on this maintenance:

Cheers,

Fawad

ISSUE RESOLVED: Azure Lab Services - lab plan outage - September 12, 2024

Stan_Ageev — Thu, 12 Sep 2024 19:26:42 GMT

Hello,

The root cause has been identified, and a hotfix is being rolled out. We expect service to be fully restored by the end of the business day (CDT) on September 12, 2024. We will provide updates about the outage in this blog post until the issue is fully resolved.

We apologize for any inconvenience and disruption this may cause.

Hardware support change with GPU labs that use lab accounts

nicolehaugen — Fri, 05 Apr 2024 20:00:11 GMT

Azure Datacenters regularly refresh hardware to ensure the highest quality offerings are available. An upcoming hardware change will impact specific lab account-based GPU SKUs. This is due to the Azure virtual machine families (NV and NC) that back these specific virtual machines sizes being deprecated.

If you have labs using a lab account created before February 22, 2024 with one of these virtual machine sizes:

Small GPU (Compute)
Small GPU (Visualization)
Medium GPU (Visualization)

Please finish using your current lab setup by July 15, 2024, to avoid any issues. If you need to use labs with these specific virtual machine sizes after that date, then you'll have to set up a new lab which will have the latest hardware.

If you choose to continue labs with older hardware, you may receive an allocation error similar to:

"Unable to start due to Allocation failed. We do not have sufficient capacity for the requested VM size in this region."

Lab Account GPU SKU Q&A

Which specific GPU SKUs are impacted?
- Lab account-based labs created before February 22, 2024 using:
  - Small GPU (Visualization)
  - Medium GPU (Visualization)
  - Small GPU (Compute))
How long will I have to transition?
- Until July 15, 2024
Which is recommended?
- For Lab Accounts, create a new lab before July 15, 2024. You do not need to move to using Lab Plans.
Are there any cost differences?
- No, costs will remain the same.
Is performance different?
- Yes, performance should be better for all SKUs involved.
Are labs with lab plan impacted?
- No, they are not.

Daylight savings time adjustments and Lab Schedules

adamasmar — Tue, 19 Dec 2023 19:19:57 GMT

We became aware of an issue where some customers reported that their schedules were not starting on time. We noticed that this appeared to be happening after daylight savings time (DST) came to end on November 5th in the United States and Canada. After investigating, we determined that a schedule created during DST (in a time zone that honors DST) would start an hour later than desired after DST had ended.

Update (12/19/2023) - The fix has been rolled out across the service. Please proceed in reading this article and following the same troubleshooting steps should you be encountering any issues.

A long-term fix to the issue has completed its roll out. To determine if you were affected by this issue and if you may have any actions to complete to adjust your schedules, please see the guidelines below:

Were you not affected by schedules starting incorrectly?
- No action required
You were affected and worked around the issue by adjusting the date on the schedule or deleting or recreating your schedule?
- No action required
You were affected and currently have no work-around?
- We suggest modifying the date of the schedule to be a time after DST ended in your time zone. For example, a schedule with a date of June 15th, 2023 could be modified to some date after November 5th, 2023:
  
  If you choose to take no action, your schedule should be fixed automatically in the next week or two.
You were affected and adjusted your schedule by an hour to compensate for the hour difference in the start and stop?
- We are currently deploying a fix to existing schedules that we would expect to break this workaround since our fix will honor schedules regardless of the date they have configured. As such, you have a few options:
  1. Delete and recreate your schedule
  2. Adjust the start and stop times of your schedule their actual desired times and adjust the start date to be a date that is after DST ended in your time zone (the same solution as in scenario #3 above)
  3. Wait for our changes to deploy to your region and then readjust your schedule's start and stop times.

If you need additional assistance in fixing any issues you may have with schedules, please open an Azure Support Ticket.

Troubleshooting Guide for Virtual Machine Connectivity (RDP/SSH)

PeterHauge — Thu, 05 Sep 2024 14:28:02 GMT

Azure Lab Services requires RDP & SSH access to connect to the lab template and student virtual machines (this applies whether using advanced networking or not). There are a common set of issues and pitfalls that affect the connectivity for students & teachers to their lab resources. Fundamentally, the service needs an unobstructed network path from the individual's machine (Chromebook, iPad, PC, Mac, etc.) to their virtual machine in Azure to complete the connection. This can be impacted/affected by many things. The troubleshooting steps below include areas to check throughout the path of connectivity.

Other Troubleshooting Guides

There is an Azure Troubleshooting guide that has some good data on Cannot connect with RDP to a Windows VM in Azure - Virtual Machines. However, Azure Lab Services is a managed offering where some of the backing resources for a Lab are not directly accessible. This affects the ability to complete each of the steps within this guide.

All Labs Troubleshooting Items

There are troubleshooting items that apply to all labs - whether the lab is using advanced networking or standard networking, but there are other pitfalls listed for advanced networking section at the end.

Connection is too slow

A slow RDP connection is one of the more difficult problems to debug and fix. The first action should be to quantify the RDP connection speed. In the post How to ensure the best RDP experience for lab users, the utility PsPing is used to measure the response time to the machine. This post includes information about different methods to improve RDP performance. If the connection experience seems slow, the first step may be to adjust the settings in the client experience to reduce the volume of data being transmitted. The next step is to determine the scope of the problem, which answering the following questions should help:

Is it a specific machine?
Is it a specific lab?
Is there a VPN being used?
Is it slow on a specific network?
Is there a firewall on the network?
Is it slow with a specific ISP?

I’ll walk through each of these questions and suggestions for ways to improve the experience.

A specific machine is slow: We usually don’t see this type of slowdown on a consistent basis, commonly it’s related to lab, network, or ISP for the student. In Azure Lab Services, Teachers and Students can use the redeploy capability to change the backing infrastructure (VM, network, etc.) which could improve the experience.

Specific lab is slow: If all the machines in a lab are running slow there are a few ways to troubleshoot the connection:

Check the region that the lab is created in with respect to where your students are, the further away the greater the chances of slow connection speed. This is testable by creating another lab in a closer region and checking if connections to virtual machines in the new lab are faster than the current lab.
Check the lab machine size for the software used in the class. If all the machines are “slow” it may be the machine is undersized for the software/class type and the slowdown may not be the connection speed. This can be tested by creating a lab with more CPU or RAM than the current lab and verifying performance.

VPN is being used: A good troubleshooting step is to turn off the VPN to see if that improves the connection speed. If it is the VPN and it is required, then review the VPN settings and configuration to possibly allow RDP or SSH connections to be “passed through”, connections aren’t routed to distant regions or routed incorrectly.

On a specific network/firewall: Any network from an enterprise level network to a student's home router/Wi-Fi combination can impact the connectivity to Azure Lab Services. For example, we’ve seen where some students’ home routers have built-in firewalls that block or limit the RDP/SSH connections. Check if there is a firewall enabled on the network and if it is configured to limit the RDP/SSH connections. There are specific details below.

On a specific internet service provider: Ok, this is a difficult one to test as most people don’t have two ISPs to connect to. If the slowdown is on a specific network and you’ve exhausted all the other options, you may want to contact your ISP to see if they have any limiters on RDP/SSH connections.

Virtual Machine not running

Commonly when the students get the message, “Remote Desktop can’t connect to the remote computer … Make sure the remote computer is turned on and connected to the network, and that remote access is enabled”, the virtual machine that the students are trying to connect to hasn’t completely started yet.

There are a few different techniques and adjustments that may improve this type of problem. The first step is to open the Lab portal (https://labs.azure.com ) and check that the virtual machine shows as running.

Not running:

Starting

(The virtual machine cannot be connected to yet)

Running:

Teacher’s view of all VMs (stopped, starting & running)

The student can start the virtual machine from their lab portal (https:/labs.azure.com). It may take between 2 to 5 minutes to get the machine fully running.

Adjusting the lab automatic shutdown settings may improve the student connection experience. As turning on and off the virtual machine takes time, adjusting the settings may decrease the chances of the student trying to connect while the machine is changing state. While the automatic shutdown settings are part of a cost savings strategy, they may need to be adjusted to improve the student experience.

Shut down idle virtual machines: If the duration is too short, there may not be enough time from when the student starts the machine and then connects, or if the student is not active (in-classroom learning for example), the virtual machine may be shutdown.
Shut down virtual machines when users disconnect: If there is too small a time delay, you can run into issues where an accidental disconnect will start a shutdown. Students will need to start the virtual machine again to connect.

Shut down virtual machines when users do not connect: If students do not connect to the virtual machine after some time and if the duration is too short, the virtual machine will be shutdown. This can affect students starting the virtual machine themselves, or if schedules are used in the lab. Changing the idle setting to a longer duration is an option but has potential cost implications. If schedules are being used, the virtual machines can be started closer to when the class time starts.

Outbound from the School/University/Enterprise/Home Network (local Firewalls)

The network can be a point of interference when firewall(s), switches, routers or other network appliances block or limit RDP/SSH (3389/22) ports or HTTPS ports (443). There are a couple of points where this can happen, either at school or on the local network router at the student’s home. For example, there have been situations where modern routers, especially WIFI 6, have default behavior to block or restrict the RDP/SSH or HTTPS connections. We also see this on campus firewalls restricting outbound RDP/SSH connections to the internet. If you can’t generally remove restrictions, you can usually add an exemption for the lab public IP address. You’ll need to get an IP address for each lab and add those IP addresses to the allow list for the firewall or router. We also see the operating system (Windows & Linux) that can restrict outbound RDP/SSH access and HTTPS connections to connect to the machine. Consult the operating system firewall documentation to enable RDP/SSH/HTTPS connectivity (ports 3389/22/443).

Misconfigurations on the Student Virtual Machine

When students are administrators on their virtual machine, they can make system changes including the network configuration. The student may accidentally change the network configuration in the operating system causing connectivity issues (and virtual machine startup issues). Some examples of these misconfigurations are:

Updating the IP Address to a static IP instead of specified as a dynamic IP
Disabling DCHP (preventing automatically getting an IP address)
Specifying DNS servers (this should not be specified on the virtual machine. If custom DNS is needed, please use Advanced Networking and specify custom DNS servers on the virtual network)

Students running as administrators can also update the local user groups and permissions which could inadvertently block the ability to connect to the machine.

To proactively prevent these types of mistakes, the template can be setup a script to auto-reset the networking on machine shutdown. This article shows how to run a script on shutdown that will reset the network configuration. Otherwise, students or teachers would need to reimage their virtual machine which will get them back to a good state.

Username/password provided doesn’t work on Student VMs when logging in

If the students are unable to connect to their machines using the username and password for the lab with the following message, “Your credentials did not work”:

There are a couple of different reasons that this may occur:

Student using wrong credentials: Please confirm that the student is using the correct username and password for the lab. If the lab has been created with the “Use same password for all virtual machines” enabled, then the username and password should be the same for every student.

Student forgot their password: If they have a custom password and have forgotten it, then the student can reset the password on the machine from the lab portal. Additionally, the student can reset the machine, but any user data will be deleted and not be retrievable.

Shared Password + Azure Compute Gallery image: If other students can’t login using the common lab username and password and the lab was created using an existing custom image this may be caused by a known limitation. The workaround is to use the username and password when the image was created or reset the password.

Virtual Machine was compromised: There are situations where a student password could be fraudulently changed by a bad actor. The student can reset their password to regain access to the machine, but here are some suggestions to reduce the likelihood of this happening:

Do not use common passwords, uncheck the use same password option when creating the lab. Having individual specific passwords reduces the scope if the password is compromised.
Use strong passwords and secure it.

Restrict access to the lab, so that only those students that are in the class can access the machines. By default, the lab is restricted.

Remote Desktop Gateway configured: The remote desktop client the students are using may have a Remote Desktop Gateway configured. If so, they would need to enter their gateway credentials first (to authenticate to the gateway) before connecting to their student VM. (NOTE: This is not common.)

Confirm no lab deployment issues

While not directly related to RDP/SSH connection troubleshooting, if the lab has a failure the machine connections may not work properly. The Azure activity log is the most comprehensive list of events and results. Commonly, the activity log will be filtered on the resource group that the lab is located in. The events may take a few minutes to be available in the log. These event logs will contain more detailed information that can be used for troubleshooting and should be included if a support ticket needs to be created.

Unable to connect an outgoing VPN from a Student VM

If students are attempting to use a VPN connection initiated from a student VM (to the campus/university network for example) and the VPN fails to connect, this is most likely due to the VPN having issues with the Azure Lab Services network configuration. Please open an Azure Support Ticket to get help from Microsoft on resolving this.

Unable to connect via RDP to my Linux VM

RDP is not enabled by default by Azure Lab Services on Linux VMs. To enable RDP for your Linux-based lab, please follow the guide in our documentation enable graphical remote desktop for Linux labs.

Advanced Networking Troubleshooting Items

The list below contains troubleshooting items that apply to advanced networking scenarios only.

Missing a Network Security Group

When troubleshooting a lab plan that has advanced networking configured, one of the first checks is to confirm that the lab services network subnet has a network security group connected to it. This will let the RDP/SSH connections to be allowed through. Without a network security group, all connections are blocked to the virtual machines (template VM and student VMs).

Using Azure Virtual Machine RDP Troubleshooting

There are unique troubleshooting techniques with labs that are configured with advanced networking. Advanced networking enables additional troubleshooting by creating an Azure Virtual Machine connected directly to the virtual network that the lab plan is connected to. Using this Azure VM (outside of Azure Lab Services), you can use the Azure Virtual Machine RDP Troubleshooting guide, including the in-Azure connection troubleshooter, to determine if the network is configured correctly. If you’re still unable to connect to the virtual machine, please see the following section.determine if the network is configured correctly. If you’re still unable to connect to the virtual machine, please see the following section.

NSG Rules are blocking RDP/SSH connections

Using the Azure VM that is connected directly to the virtual network (from the previous section), you can diagnose virtual machine network connectivity directly in the Azure Portal. The blocking or limiting of the RDP/SSH connections via security rules can be done at the subnet with a Network Security Group or by using Azure Virtual Network Manager, the easiest way to see the full list of rules is via the Azure Virtual Machine network effective security rules.

Default User Defined Route (Route table problem)

Advanced networking allows the network to be customized as needed, including modifying the route table. A user-defined route table directs traffic to the appropriate destinations. There is a special route, the “internet route” (0.0.0.0/0) which directs traffic not bound for another local address to the Internet. Azure Lab Services advanced networking does not support updating the ‘next hop’ for the 0.0.0.0/0 route to anything except the internet. Changing this to a specific IP address (for example, directing outbound internet traffic to a firewall or other network appliance) will break connectivity to the lab by introducing an asymmetric routing issue. When debugging issues, check for a custom route table and make sure that the default route is set to have 0.0.0.0/0 to the Internet.

Contact Microsoft for Help

If all else fails and none of the troubleshooting items above helped, please open an Azure Support Ticket to get help from Microsoft on resolving the connection issues.

Using student accounts without admin privileges

nicolehaugen — Thu, 28 Sep 2023 23:08:23 GMT

In the version of Azure Lab Services that uses lab plans, you have the option for students to use a non-admin account on their VMs. With a non-admin account, students don’t have full control over the VM and instead only have privileges to perform general computing tasks. We recommend that you follow the principle of least privilege by having students use a non-admin account unless they need to perform tasks that require admin privileges. Here are a few excerpts that best describe the principle of least privilege:

“The principle states that all users should log on with a user account that has the absolute minimum permissions necessary to complete the current task and nothing more. Doing so provides protection against malicious code, among other attacks. This principle applies to computers and the users of those computers."

"Always think of security in terms of granting the least amount of privileges required to carry out the task. If an application that has too many privileges should be compromised, the attacker might be able to expand the attack beyond what it would if the application had been under the least amount of privileges possible.”

Applying this principle helps to reduce the likelihood and the degree of negative impact that can occur if a student has too many privileges:

Stop malicious software – When using a non-admin account, apps don’t automatically have access to admin privileges. For example, this helps to prevent malware from automatically using admin privileges to infect or damage files on the VM.
Enhance security – You can set up additional security settings and software directly on the VM to enhance security. When students use a non-admin account, they can’t uninstall or disable these security measures. For example, as part of the VM’s image you can install 3^rd party content filtering software, apply local group policies, configure local firewall settings, etc. In a future blog post, we’ll share more info on how to enable these types of security measures.
Safeguard against unintended changes – When students have full admin access, they can inadvertently make changes to their VM that gets it into an unexpected state. Azure Labs provides the ability to reset their VM image to help; however, this often can be avoided by having students use a non-admin account. For example, non-admins are prevented from making accidental changes that can cause their VM to stop working like deleting critical system files, changing IP address settings, blocking outbound access required by Azure, etc.

Before you decide to use a non-admin account for students, you should validate whether students need full control over their VM or if the lab’s software requires admin privileges. Here is a general list of tasks that a non-admin account is blocked from performing:

Installing and removing software
Making system wide config changes, such as to the security, permission, and networking settings
Running software that makes system wide config changes
Creating and deleting files/subfolders that exist with other users' profile/home folder

For software or curriculums that require students to perform the above types of tasks, students will instead need to use an admin account. If you are unsure whether your lab’s software requires admin privileges, we recommend reaching out to your IT department or the software vendor.

IMPORTANT – If your students need to use an admin account, students must take precaution to avoid making changes that can cause their VM to stop working properly. More details are provided on this later in the blog post.

When you set up a lab with a non-admin account, you should connect to the lab’s template VM with the non-admin account to verify that:

All software/files that you install are accessible.
Tasks required for the lab can be performed with non-admin privileges.

In Windows, when a non-admin account attempts to perform a task that requires admin privileges, a User Account Control (UAC) prompt is shown. The UAC prompt blocks the task from being performed unless the user can provide the admin account’s password. For example, if a student that is using a non-admin account attempts to install software, they will see the UAC window and installation will be blocked. However, if a teacher/lab manager is in-person with their student, they can enter the admin account’s password to allow the task to continue with elevated privileges.

Figure 1 Windows User Account Control (UAC) prompt for admin account's password

In Linux, when a non-admin account attempts to perform a task that requires admin privileges, they will see a Permission denied message. For example, if a non-admin account attempts to access a folder that they don’t have read permission for, they will see a Permission denied message and will be prevented from accessing the folder.

Figure 2 Linux permission denied message

In the rest of this blog post, we'll show steps on how to:

Avoid making changes as an admin that can cause the VM to stop working
Add a non-admin account during lab creation
Set up and validate a Windows lab with a non-admin account
Set up and validate a Windows nested virtualization lab with a non-admin account for scenarios like ethical hacking and networking
Set up and validate a Linux lab with a non-admin account

Thanks,
Azure Lab Services team

-------------------------------------------------------------------------------------------------------

Avoid making changes as an admin that can cause the VM to stop working

You may have scenarios or software that require students to use an admin account. When students are an admin, you’ll need to ensure that they avoid making changes that will prevent their Windows or Linux lab VMs from starting and/or working properly. The effect of these changes is that VMs won’t start, students will lose connectivity to their lab VM, or their VM will unexpectedly shut down without the ability for them to reconnect. Often, the only way to fix these issues is by having the student reset their VM image which will cause all data saved on the OS disk to be lost. The list below shows the types of changes that students should avoid making.

1. Don’t change networking settings

Students should be instructed not to make any changes to their VM’s network settings. For example, changes that prevent the VM from obtaining an IP address:

Changing the VM’s IP assignment from dynamic/automatic to static.
Disabling the DNS assignment settings.
Or any other related changes that disable DHCP.

We also recommend setting up a PowerShell script that runs on VM shutdown to ensure the IP address is always set to dynamic/automatic as shown in this blog post: Running a PowerShell Shutdown script on Windows Lab Services machines. - Microsoft Community Hub.

2. Don’t make changes to services

The Azure VM agent relies on local services that are enabled to automatically run in the background. Students shouldn't stop or disable these services because this can have a negative impact on their VM. For example, the Azure VM agent relies on specific services running for the automatic shutdown settings to work properly.

3. Don’t delete system files/folders

The Azure VM agent also relies on files/folders that are installed on the VM. Deleting these files/folders can cause the VM to stop working. For example, students should avoid making changes to any files/folders under C:\WindowsAzure.

4. Don’t make firewall changes

Students should avoid making any changes to their VM’s local firewall, so that they don’t block outbound connections that are required by the Azure VM agent. From a security perspective, teachers/IT may be interested in enabling firewall rules on VMs. We’ll share more info on how to enable local firewall rules as a security measure in a future blog post.

Add a non-admin account during lab creation

First, when you create a lab, check the option to Give lab users a non-admin account on their virtual machine. Checking this option adds two local user accounts to the lab’s VMs:

An admin account that a teacher or lab manager uses for full control and access to each VM.
A non-admin account that students should use for general computing tasks.

Figure 3 Add non-admin account during lab creation

The above steps are prerequisite for the following sections that show how to set up Windows and Linux labs using a non-admin account.

Set up a Windows lab with a non-admin account

1. Connect to the template VM

After you’ve created a Windows lab with both an admin and non-admin account, connect to the lab’s template VM.

a. Use the admin account so that you have full privileges to change Windows settings, install software, etc.

b. When you connect, you will notice that the admin account’s username is automatically populated in the RDP connection file.

Figure 4 Connect to the lab template VM using the admin account

2. Update the template VM

Update the image with changes required for the lab, such as installing software and adding files.

a. Ensure that software is available to all users on the VM. Here are some tips:

Check if the software has options to install for all users. For example, OneDrive provides an "all users" switch.
Install software under Program Files or Program Files (x86).
Place shortcuts under C:\Users\Public\Desktop; to see this folder, you may need to show hidden items using the View->Show->Hidden items option.

Figure 5 Show Public\Desktop folder

b. Ensure that any files needed for the lab are copied to an accessible location like the C:\Users\Public folder.

3. Verify the template VM

Verify that all software and files that you install are accessible with non-admin privileges.

a. Increase the lab’s Shut down virtual machines when users disconnect setting to at least a few minutes.

By default, the value is zero which can cause the VM to immediately shut down when you disconnect as the admin and attempt to reconnect as the non-admin.
You may want to change this value back to zero after you’re done verifying the template VM.

Figure 6 Increase the shut down virtual machines when users disconnect setting

b. Reconnect to the template VM using the non-admin account.

You will need to change the user in the RDP connection file by clicking Use a different account under More choices and entering in the username and password for the non-admin.

Figure 7 Connect to the lab template VM using the non-admin account

c. Verify the VM’s software and files needed for the lab are accessible using the non-admin account. You may also want to verify some common tasks that students will perform to ensure that admin privileges aren’t required.

4. Publish the template VM

After you’re done verifying the template VM, you are ready to publish to create the student VMs. When students connect to their lab VM using RDP, the non-admin account’s username is automatically populated in the RDP connection file.

Set up a nested virtualization lab with a non-admin account

When students are using Windows nested virtualization for ethical hacking and networking scenarios, it’s possible for them to inadvertently make changes to the host VM that can cause it to stop working properly. You should consider having students use a non-admin account for nested virtualization scenarios to help safeguard against detrimental changes to the host VM.

1. Connect to the template VM

After you’ve created a Windows lab with both an admin and non-admin account that supports nested virtualization, connect to the lab’s template VM. Use the admin account so that you have full privileges to enable nested virtualization, install software, etc.

2. Update the template VM

Update the image with changes required to set up nested virtualization. Here are useful resources:

When following the above steps, there is extra configuration required for the non-admin account:

The non-admin account must be added to the Hyper-V administrators group so that they have permissions to start/stop nested VMs, but they won’t have full permissions to use Hyper-V such as attaching a new disk.

Figure 8 Add non-admin account to Hyper-V Administrators group

Disks and VMs must be saved to accessible location, not the default location under %programdata%. For example, you can put these resources in the C:\Users\Public folder.

3. Verify the template VM

Like the previous section on how to verify the template VM for a Windows lab, you should verify that all software and files are accessible with non-admin privileges. You should also ensure that nested VMs can be properly created/started and should validate tasks that students will need to perform.

Set up a Linux lab with a non-admin account

The steps to connect, update, and verify a Linux template VM with an admin/non-admin account varies depending on the:

Distro and version
Connection type (e.g., SSH or RDP)
Graphical desktop environment (e.g., XFCE, MATE, etc.)
Remote desktop server technology (e.g., RDP, X2Go, etc.)

To give you an idea of the steps involved, this section shows how to set up a lab with:

1. Connect to the template VM

The steps in this section assume that you’ve created a lab with the Ubuntu Server 20.04 LTS image and have set the Enabled connection types setting to Client connection (SSH) and Client connection (RDP). The lab should also have both a non-admin and admin account configured.

Figure 9 Enabled connection types setting during lab creation

Connect to the lab’s template VM:

a. Use the admin account so that you have sudo privileges.

b. The first time that you connect to the template VM, you will need to use SSH so that you can set up RDP and XFCE.

c. When you connect, you will notice that the admin account’s username is automatically included in the SSH connection string.

Figure 10 Admin account username in the SSH connection string

2. Update the template VM

Update the image with changes required for the lab, such as installing software and adding files:

By default, on Ubuntu Server 20.04 LTS, the admin user has read/execute permission to the non-admin user’s folder, but not write permission. Write permission is required to create and copy files to the /home/*your non-admin username*/ folder.

Figure 11 Default permission for the non-admin user's folder on Ubuntu 20.04

You’ll need to ensure that the non-admin user has access to software and files needed for the lab. Here are some tips:

a. Use a package manager to install apps. By default, apps will be available system-wide for all users. For example, with Ubuntu use apt-get.

b. XFCE requires that you configure the default desktop environment for the non-admin user. However, you must have write permission to the non-admin user’s folder to run the following command:

sudo echo xfce4-session >/home/*your non-admin username*/.xsession

To obtain write permission, you can:

Create a group and add both the admin/non-admin users.
Give the group ownership of the /home/*your non-admin username*/ folder with rwx permissions.
Enable all newly created subfolders and folders under /home/*your non-admin username*/ to inherit group permissions using the SGID bit.

Here is an example:

sudo groupadd labUsers sudo chgrp labUsers /home/nonadminuser/ sudo chmod 770 /home/nonadminuser/ sudo chmod +s /home/nonadminuser/ sudo usermod -a -G labUsers nonadminuser sudo usermod -a -G labUsers testadmin

NOTE: Other graphical desktops don’t require additional configuration steps for the non-admin user, such as GNOME.

c. Copy or create any files needed for the lab to the non-admin user’s folder. To obtain permission, you can reuse the same approach as above so that you can create files in the /home/*your non-admin username* folder. Or you can create a new shared folder under /home/ and give the group ownership with rwx permission. For example:

sudo mkdir /home/sharedFolder/ sudo chgrp labUsers /home/sharedFolder sudo chmod 770 /home/sharedFolder/

NOTE: The default permissions to the /home/*your non-admin username* folder can vary based on the distro and version. For example, by default, on Ubuntu Server 22.04 LTS the admin user doesn’t have read, write, or execute permissions for the /home/*your non-admin username* folder.

Figure 12 Default permission for the non-admin user's folder on Ubuntu 20.04

3. Verify the template VM

Verify that all software and files that you install are accessible with non-admin privileges.

a. As mentioned earlier in this post, increase the lab’s Shut down virtual machines when users disconnect setting to at least a few minutes.

b. Log out of the SSH terminal and reconnect to the template VM using the non-admin account.

To SSH, you will need to change the admin’s username in the connection string to the non-admin’s username.

Figure 13 Change the username in the SSH connection string

To RDP, you will also need to change the username to the non-admin account.

Figure 14 Change the username during RDP connection

c. Verify the VM’s software and files using the non-admin account. You may also want to verify some common tasks/commands that students will perform to ensure that sudo privileges aren’t required.

4. Publish the template VM

After you’re done verifying the template VM, you are ready to publish to create the student VMs. When a student connects to their lab VM, the non-admin account’s username is automatically populated in the SSH connection string and during RDP connection.

Use labs without registering/joining to AD/AAD

nicolehaugen — Fri, 21 Jul 2023 13:06:05 GMT

To make labs easy to set up and manage, Azure Lab Services is designed with no requirement to register/join lab VMs to either Active Directory (AD) or Azure Active Directory (AAD, or now also called Entra Id). As a result, Azure Lab Services doesn’t currently offer built-in support to register/join lab VMs. There are some key advantages with this approach:

Quick and easy setup – To give students access to a lab and VM, your IT department doesn’t need to set up AD/AAD. Instead, students log in to lab VMs using a local account on the VM and can use a variety of account types to sign-in to a lab. Because of the reduced infrastructure involved, setting up and using Azure Lab Services in your environment is quick and easy. Teachers can independently set up, manage, and delete labs without help from your IT department.
Lower management overhead – There is overhead with managing joined/registered devices in AD/AAD, which goes away with Azure Lab Services since registering/joining lab VMs is a non-requirement. This means no extra work is involved for your IT department to clean up and manage devices in AD/AAD.
Ensure network isolation – Labs are completely isolated from your network which is ideal when you want to give students admin permission on their lab VMs, especially for networking, cybersecurity, and system admin classes.

We recognize that you may have scenarios where you want to register/join lab VMs. For example, you may want to increase VM security by using tools such as Intune or group policies to control user activity. Support for AAD joining lab VMs is being considered for the upcoming product roadmap. In the meantime, we recommend that you don’t attempt to register/join lab VMs to either AD or AAD.

In the rest of the blog post, we explain the limitations with the current experience and why we don’t recommend that you register/join lab VMs. In a future blog post, we’ll also talk about other ways that you can increase VM security without having to register/join lab VMs.

Thanks,

Azure Lab Services team

-------------------------------------------------------------------------------------------------------------------

Why we don’t recommend registering/joining lab VMs

To provide clarity, let’s first define common AD/AAD configurations and the options with each one to register/join computers.

Full-cloud AAD configuration

In a full-cloud AAD configuration, your organization uses AAD and AAD Domain Services to manage computers/users. AAD is a cloud-based, Microsoft managed directory service that typically only requires that a computer has access to the internet. This enables users to either AAD register or AAD join their computers directly to your AAD in the cloud.

Figure 1 Full-cloud AAD configuration

Hybrid AD/AAD configuration

In a Hybrid AD/AAD configuration, a computer joins AD Domain Services and AAD directories to enable management features of both directory services. Your on-prem AD is connected to AAD using Azure AD Connect which syncs your on-prem AD users/computers to AAD. This configuration gives several options to join/register computers:

AAD register – Users can AAD register their computers directly to your AAD.
AAD join – Users can AAD join their computers directly to your AAD.
Hybrid AAD join – IT admins can domain join computers to your on-prem AD, which also automatically joins computers with AAD in the cloud. This option requires network line-of-sight from the computer to your domain controller that exists either on-prem or in Azure.
AD domain join – It’s also possible for IT to only join computers to your on-prem AD and filter the computers from syncing to AAD. Again, network line-of-sight is required from the computer to your domain controller.

Figure 2 Hybrid AD/AAD configuration

Here’s a table that compares the capabilities that are enabled depending on the register/join option being used:

	Capability	AAD register	AAD join	Hybrid AAD join	AD domain join
1.	Students can sign-in to their computer with their AD/AAD credentials	No	Yes	Yes	Yes
2.	Students have single sign-on (SSO) access to cloud resources	Yes	Yes	Yes	No
3.	Students have single sign-on (SSO) access to on-prem resources	No	Yes*	Yes	Yes
4.	IT admin can apply group policies	No	Yes	Yes	Yes
5.	IT admin can enroll lab VMs with Intune	Yes	Yes	Yes	No

* Only applies to a Hybrid AD/AAD configuration

Known limitations

Next, let’s look at the limitations that currently exist with each of the register/join options. The following table provides a high-level comparison of the limitations across the different register/join types. For more detailed info, read the bullets further below.

	Limitation	AAD register	AAD join	Hybrid AAD join	AD domain join
1.	Cleanup: AAD/AD device entries are orphaned at high rate	X	X	X	X
2.	Management: Management challenges due to non-unique VM names	X	X	X	X
3.	Join/register: Join/register process is complex for both students and IT	X	X	X	X
4.	Physical device requirements: The student’s physical device must also be AAD joined/registered and run Windows 10/11		X
5.	RDP connection: Students must change their RDP file to use AD/AAD account credentials		X	X	X

1. Cleanup: VMs are orphaned at a high-rate

When lab VMs are registered/joined, device entries in AD/AAD tend to become orphaned (or stale) at a high rate due to the transient nature of labs and their VMs. Here are common scenarios where lab VMs become orphaned:

Republishing a lab so that all the student VMs are reimaged with the original image from the template VM. Each time that you republish, the student VMs are no longer registered/joined.
Resetting individual VMs so that they are reimaged with the original image from the template VM. Each time a student chooses to reset their lab VM, their VM is no longer registered/joined.
Deleting a lab or VM.
Decreasing VM pool capacity (which may happen automatically if using Teams, Canvas, or AAD groups).

Orphaned device entries can grow at a high rate which adds management overhead for your IT department. For more information on the cleanup that is required, see the article How to: Manage stale devices in Azure AD.

IMPORTANT: A lab’s template VM shouldn’t be registered/joined to AD/AAD because this image is used to create the student VMs and can be exported to the Compute Gallery to create other labs.

2. Management: VMs have non-unique names

By default, Azure Labs doesn’t uniquely name lab VMs. For example, if you enable the Create a template virtual machine option when you create the lab, the VMs will all be named like “lab000001”. Or, if you leave this option disabled so that no template VM is created, the VMs will be named uniquely within a lab, but not across labs. With non-unique names, it’s challenging to manage lab VMs in AD or AAD, especially at scale.

If you’re an IT department or teacher that is proficient with scripting, you might consider using PowerShell to give lab VMs a unique name. However, we don’t recommend this because of the complexity involved:

Initial renaming – Each VM must be given a unique, meaningful computer name before it can be registered/joined to AD/AAD. Renaming needs to occur after the lab VMs are published or when a lab’s VM pool size is increased.
Subsequent renaming – Each time a lab VM is reset or republished, the VM must be given a new unique computer name. A VM shouldn’t be renamed to the same computer name that it was previously registered/joined with because this can cause conflicts in AD/AAD.

3. Join/register: Process is complex for students and IT

To AAD register or AAD join lab VMs, currently the best option is for students to self-register or self-join their lab VM using either Windows Settings or Edge. This involves several steps for students that may be too complicated and requires that their lab VM first be uniquely renamed (see bullet #2 above):

AAD register – It’s possible for a student to sign-in to their VM using either a standard or admin local account and use the Windows Settings option to Set up a work or school account.

Figure 3 AAD register using Windows Settings

Or they can use Edge to sign-in which will AAD register their VM.

Figure 4 AAD register using Edge

AAD join – A student can also sign-in to their VM using the local admin account and use the Alternate actions to Join this device to Azure Active Directory in Windows Settings.

Figure 5 AAD join using Windows Settings

IMPORTANT: AAD join is further complicated by physical device requirements that need to be met to successfully RDP to an AAD joined VM. See the next bullet #4 for more info.

To Hybrid AAD join or AD domain join lab VMs, your IT department typically must do this because it requires admin credentials to join the VMs to AD and direct access to AD to ensure devices are properly joined. It’s possible to Hybrid AAD join and AD domain join VMs using PowerShell; however, this is complicated by the following:

Each student VM needs to first be uniquely renamed (see bullet #2 above).
The admin credentials that have access to join the VMs to AD need to be saved in a secure store because the script would need to reside on the lab VMs that students have access to.
To run the scripts on student VMs to join them, your IT department would either need to use Remote PowerShell commands or Windows Task Scheduler.

Things get more complicated for AAD register, AAD join, Hybrid AAD join, or AD domain join because the steps need to be repeated in the following scenarios:

Republishing a lab so that all the student VMs are reimaged with the original image from the template VM. Each time that you republish, the student VMs are no longer registered/joined and you need to repeat the process to give them a new unique name and register/join them again.
Resetting individual VMs so that they are reimaged with the original image from the template VM. Each time a student chooses to reset their lab VM, their VM is no longer registered/joined and you need to repeat the process to give the VM a new unique name and register/join the VM again.
Increasing VM pool capacity (which may happen automatically if using Teams, Canvas, or AAD groups).

4. Physical device requirements: Win 10/11 and AAD joined/registered

To successfully sign-in and connect to an AAD joined lab VM, the physical device must adhere to the following requirements:

The lab VM and the physical device the student connects from must both be running Windows 10 or newer. Windows 7/8.1 and Windows Server are not supported for AAD Join. Windows Home Editions do not support Azure AD join.
Both the physical device the student connects from, and the lab VM must run supported versions of Windows 10/11.
The physical device must also be AAD registered, AAD joined, or Hybrid AAD joined.
Both the physical device and lab VM must be in the same AAD tenant.

This means that students can’t use a Chromebook, Mac, or Linux device to connect to an AAD joined lab VM.

IMPORTANT: These physical device requirements only apply to VMs that are AAD joined. They do not apply to VMs that are AAD registered, Hybrid AAD joined, or AD domain joined.

5. RDP connection: File defaults to local account

One reason that IT departments and teachers want to join lab VMs, is to enable an SSO experience so that students can sign-in to their lab VM with their AD/AAD credentials and access on-prem and/or Microsoft 365 (M365) cloud resources such as OneDrive. However, students must know how to change the RDP connection file’s default account to sign-in with their AD/AAD credentials to a VM that is AAD joined, Hybrid AAD joined, or AD domain joined. These steps may add too much complexity and be error-prone for students.

After the student downloads the RDP connection file and opens the RDP client, they need to change from the default local account to their AD/ADD account (e.g., user@domain.com or AzureAD/user@domain.com). To avoid repeating this step each time the student logs in, they can also edit the RDP file to use their domain account by default and save the RDP file to their physical device.

IMPORTANT: These steps to change the default account in the RDP file are only needed when a lab VM is AAD joined, Hybrid AAD joined, or AD domain joined. AAD register does not support signing into the lab VM using their AD/AAD credentials.

Figure 6 Prompt to change default RDP account

Network architectures and topologies with Lab Plans

laurendunlap — Thu, 20 Jun 2024 22:46:28 GMT

Supported Networking Scenarios for Azure Lab Services

Azure Lab Services with Advanced Networking was announced as generally available. Customers are using the advanced networking feature on various network architectures and topologies with Lab Plans. We compiled scenarios to label what works and what doesn’t with Azure Lab Services. For any feature requests, please add them to the Azure Lab Services Share Your Ideas community site!

Thanks,

Azure Lab Services Team

Scenario	Enabled	Details
Lab-To-Lab communication	Yes	This is available and documented. If students need two virtual machines we also recommend using Nested Virtualization.
Opening additional ports to the students VMs	No	This currently doesn’t work, even with advanced networking. One possible solution is to use PowerShell or Azure SDK to manually add the NAT rules for every VM in the lab (every private IP address) but it’s not a good solution because Load Balancers have a limit on allowed rules, it takes a lot of scripting to complete and the experience isn’t good for students (students won’t know what LB port goes to their VM).
Enable distant license server (on-prem, cross region, etc)	Yes	This works as expected, only need a User Defined Route to point to the license server.  The only issue is sometimes specific software requires hitting the license server by name (and not by IP). To enable this, a customer-provided DNS server is needed or add to ‘hosts’ file on the template for the IP/Name lookup. Please see Azure Networking best practices for Hub-Spoke model if you have multiple services accessing the license servers, using them from multiple regions, or if the licensing servers are included in other infrastructure. NOTE: When using resources on-prem, don’t forget to add in a user defined route so the Lab virtual machines can reach the server.
Access to on-prem resources (like a license server)	Yes	Customer can do this by: 1. Via Express Route or Site-to-Site VPN (bridge the networks) 2. Add a public IP to their on-prem server with some firewall to only allow incoming connections from labs NOTE: When using resources on-prem, don’t forget to add in a user defined route so the Lab virtual machines can reach the server.
Enable azure networking best-practices (hub-spoke model)	Yes	This works as expected - there is no extra ‘magic’ on networking side with Lab Services (with Lab Plans and advanced networking). There are a few things that don’t work – like adding a “Default Route” on a Route Table (breaks connectivity to the lab), changing the FQDN on the public IP.
Enable accessing student VMs by Private IP (private-only labs)	Not Recommended	This scenario is functional, but it’s difficult for students. In the Labs portal, the student doesn’t have a way to identify the private IP of their VM. In addition, the student VM’s connect button always points to public endpoint. The only way to make it work is if the teacher provided the students with the private Ips of their VMs (keeping in mind that the IP can change, if the VM is reset for example) NOTE: If attempting this scenario, do not delete the public IP & load balancer associated with the lab. If those resources are deleted, the Lab will fail to scale or publish after that.
Protect license server (or on-prem resources) with a firewall	Yes	Firewall between student VMs and a specific resource works fine
Put student VMs behind a firewall (for content filtering, security, etc)	No	The typical firewall setup does not work with Lab Services unless the university is connecting to student VMs by private IP (see above). The specific issue is that part of the firewall setup is adding a ‘default route’ on the route table for the subnet. When this is added, we introduce an asymmetric routing problem which breaks the RDP/SSH connections to the lab.
Use 3^rd party over-the-shoulder monitoring software	Yes	This works with labs when using Advanced Networking.
Give labs a consistent domain name (lab1.labs.myuniversity.edu.au)	No	This doesn’t work. because when the lab is created, we get the FQDN from the public IP of the lab and save that for the lab VMs. This means that changes to the Public IP are not propagated to the ‘connect’ button for the template virtual machines or the student virtual machines.
Enable forced-tunneling for Labs (all communication to student VMs on secure channels, no internet traffic)  - also called “Fully Isolated Labs”	No	This doesn’t work out of the box. As soon as a route table is associated with the subnet containing a default route, users will lose connectivity to the lab (see the firewall scenario above). The customer can follow the steps above for Accessing Student VMs by Private IP (that part works), but customer can’t delete the public IP & load balancer since that will break the lab (can’t scale/publish after that).
Enable Content Filtering	Depends	Content Filtering scenarios that work: · Software on VM:  Filtering works with 3^rd party solutions 1. Students ideally should run as non-admin so they can’t uninstall or disable the software 2. Ensure that outbound calls to Azure are not blocked · DNS-based content filtering: Filtering works with advanced networking & specifying the DNS server on the Lab’s subnet. A DNS server that supports content filtering can be used to do dns-based filtering. · Proxy-based content filtering: Filtering works with advanced networking if the lab VMs can use a customer-provided proxy server that supports content filtering. It works similarly to the DNS-based solution. Content Filtering that DOES NOT WORK · Network Appliance (firewall):  Please see the firewall section above for more information When planning a content filtering solution, remember to do a proof of concept to ensure that everything works as expected end to end.
Leverage a connection broker (like Parsec) for high-framerate gaming scenarios	Not Recommended	Although this isn’t directly supported with Azure Lab Services, it’s possible but would run into the same challenges that “Access VMs by Private IP” show above.
“Cyber Field” scenario – a set of vulnerable VMs on the network for students to discover and attack (Ethical Hacking)	Yes	This works with existing features using Advanced Networking
Enable using Azure Bastion for Student VMs	No	This doesn’t work with Azure Lab Services.

New and Improved Guidance: Grant Permission to Lab Resources

nicolehaugen — Thu, 20 Jun 2024 22:45:10 GMT

We are in progress of making many improvements to the documentation for the latest update to Azure Lab Services. One upcoming improvement is that we're adding guidance on how to grant administrators and educators permission to lab resources. Please see an early release of this new guidance further below - this guidance includes the following topics:

Resource group and lab plan structure
- Permission to multiple resource groups
- Permission to multiple lab plans
Roles for common lab activities
Administrator roles
- Owner
- Contributor
- Lab Services Contributor
Educator roles
- Lab Creator
- Lab Contributor
- Lab Assistant
- Lab Services Reader
Moving role assignments from lab accounts to lab plans

We are interested to get your feedback on this content, including any points that may be unclear or where gaps may exist. Please share any feedback that you have by adding a comment to this blog post.

Thanks!

Azure Lab Services Team

----------------------------------------------------------------------------------------------------------

Granting users permission to lab resources

To give administrators and educators access to Azure Lab Services, they need to be assigned one of the following roles using Azure’s role-based access control (RBAC) .

Administrator roles
- Owner
- Contributor
- Lab Services Contributor
Educator roles
- Lab Creator
- Lab Contributor
- Lab Assistant
- Lab Services Reader

As shown by the arrows in the graphic below, roles can be assigned to users on resource groups, lab plans, and labs:

Resource groups are logical containers for grouping together resources. Role assignment at the resource group level grants permission to the resource group and all resources within the resource group, such as labs and lab plans.
Lab plans are used to apply common configuration settings when you create a lab. Role assignment at the lab plan level grants permission only to a specific lab plan.
Lab role assignment grants permission only to a specific lab.

IMPORTANT – Lab plans and labs are sibling resources to each other. As a result, labs don’t inherit any roles/permissions that are assigned at the lab plan level. However, roles/permissions assigned at the resource group level are inherited by both lab plans and labs.

Roles for common lab activities

The following table shows common lab activities and the role that needs to be assigned to an administrator or educator to perform each activity. For more details on all the lab roles available and the permissions that each role grants, see the below sections about administrator roles and educator roles.

IMPORTANT – The Owner/Contributor roles can also be assigned at the subscription level. An organization’s subscription is used to manage billing and security for all Azure resources and services. Typically, only administrators are given subscription level access because this includes full access to all resources in the subscription. Also, when assigned as an Owner, they have the ability to grant access to others.

Role Type	Activity	Role to Assign	Resource Assigment Level
Administrator	Grant permission to create a resource group (which needs to exist before a lab plan or lab can be created).	Owner or Contributor	Subscription*
Administrator	Grant permission to submit a Microsoft support ticket, including to request capacity	Owner, Contributor, Support Request Contributor	Subscription*
Administrator	Grant permission to: Assign roles to other users. Create/manage lab plans, labs, and other resources within the resource group. Enable/disable marketplace and custom images on a lab plan. Attach/detach compute gallery on a lab plan.	Owner	Resource Group
Administrator	Grant permission to: Create/manage lab plans, labs, and other resources within the resource group. Enable/disable marketplace and custom images on a lab plan. Attach/detach compute gallery on a lab plan. However, not the ability to assign roles to other users.	Contributor	Resource Group
Educator	Grant permission to create/manage their own labs: Using all lab plans within a resource group. Or, only for a specific lab plan.	Lab Creator	Resource Group or Lab Plan
Educator	Grant permission to co-manage a lab, but not the ability to create labs.	Lab Contributor	Lab
Educator	Grant permission to only start/stop/reset VMs for: All labs within a resource group. Or, only for a specific lab.	Lab Assistant	Resource Group or Lab

* The specified roles must be assigned at the subscription level.

Administrator roles

To grant users permission to manage Azure Lab Services within your organization’s subscription, you should assign them the Owner, Contributor, or the Lab Services Contributor role. These roles should be assigned at the resource group level.

IMPORTANT - Roles/permissions assigned at the resource group level are inherited by both lab plans and labs that are contained within the resource group.

The following table compares the administrator roles when they are assigned at the resource group level.

	Activity	Resource Group Level
	Activity	Owner	Contributor	Lab Services Contributor
Lab plan activities	View all lab plans within the resource group	Yes	Yes	Yes
	Create, change or delete all lab plans within the resource group	Yes	Yes	Yes
	Assign roles to lab plans within the resource group	Yes	No	No
Lab activities	Create labs within the resource group*	Yes	Yes	Yes
	View other users’ labs within the resource group	Yes	Yes	Yes
	Change or delete other users’ labs within the resource group	Yes	Yes	No
	Assign roles to other users’ labs within the resource group	Yes	No	No

* Users are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

Owner

You should assign the Owner role to give a user full control to create/manage lab plans and labs, and grant permissions to other users. When a user is assigned the Owner role at the resource group level, they can do the following activities across all resources within the resource group:

Assign roles to administrators so they can manage lab-related resources.
Assign roles to educators so they can create and manage labs.
Create lab plans and labs.
View, delete, and change settings for all lab plans; this includes attaching/detaching the compute gallery and enabling/disabling marketplace and custom images on lab plans.
View, delete, and change settings for all labs.

IMPORTANT – Owner/Contributor permissions assigned at the resource group level also applies to non-lab related resources that may exist within a resource group.

Contributor

You should assign the Contributor role to give an user full control to create/manage lab plans and labs within a resource group. The Contributor role is nearly the same as the Owner role, except that a Contributor:

Can’t assign roles to other administrators or educators.

Lab Services Contributor

The Lab Services Contributor is the most restrictive of the administrator roles. You should assign the Lab Services Contributor role to enable the same activities as the Owner role; however, a Lab Services Contributor:

Can’t assign roles to other administrators or educators.
Can’t change or delete other users’ labs.

Educator roles

The following roles should be used to grant educators permission to create and manage labs:

Lab Creator
Lab Contributor
Lab Assistant
Lab Services Reader

IMPORTANT – The educator roles only grant permission to view lab plans. Users assigned educator roles can’t create, change, delete, or assign roles to lab plans. In addition, they can’t attach/detach a compute gallery or enable/disable images.

Lab Creator

You should assign the Lab Creator role to a user so that they can create labs and have full control over the labs that they create. For example, they can change their labs’ settings, delete their labs, and even grant other users permission to their labs. The Lab Creator role should be assigned at either the resource group or lab plan level.

The following table compares the Lab Creator role when it’s assigned at the resource group level versus the lab plan level.

Lab Activity	Resource Group Level	Lab Plan Level
Lab Activity	Lab Creator	Lab Creator
Create labs within the resource group*	Yes	Yes
View other users’ labs within the resource group	Yes	No
Change or delete other users’ labs within the resource group	No	No
Assign roles to other users’ labs within the resource group	No	No

* Lab Creators are automatically granted permission to view, change settings, delete, and assign roles for the labs that they create.

When the Lab Creator role is assigned at the resource group level, the user can:

View all labs within the resource group, including those created by other users.
Create new labs from all labs plans within the resource group.
Change and delete labs that they created; they can’t change or delete other users’ labs.

You can also assign the Lab Creator role at the lab plan . With the Lab Creator role assigned on the lab plan, the user can:

Create new labs using only that specific lab plan.
View, change, or delete labs that they created; they can’t view, change, or delete other users’ labs.

Lab Contributor

You should assign the Lab Contributor role to give an user permission to help manage an existing lab. The Lab Contributor role should be assigned at the lab level.

When the Lab Contributor role is assigned at the lab level, the user can manage the assigned lab. Specifically, the user:

Can view, change all settings, or delete the assigned lab; they can’t view other users’ labs.
Can’t create new labs.

Lab Assistant

You should assign a user the Lab Assistant role if you only want them to be able to start/stop/reset lab VMs. The Lab Assistant role should be assigned at the resource group or lab level.

When the Lab Assistant role is assigned at the resource group level, the user:

Can view all labs within the resource group and start/stop/reset student VMs for each lab; otherwise, they can’t delete or make any other changes to the labs.

When the Lab Assistant role is assigned at the lab level, the user:

Can view the assigned lab and start/stop/reset student VMs; otherwise, they can’t delete or make any other changes to the lab.
Can’t create new labs.

Lab Services Reader

The Lab Services Reader role enables user to view existing labs; they can’t make any changes. The Lab Services Reader role should be assigned at the resource group or lab level.

When the Lab Services Reader role is assigned at the resource group level, the user can view all labs within the resource group. Otherwise, when the Lab Services Reader role is assigned at the lab level, the user can only view that specific lab.

Moving role assignment from lab accounts to lab plans

If you are moving from lab accounts to lab plans, it’s important to understand differences between lab accounts and lab plans and how this impacts role assignments:

Lab accounts serve as a parent to labs; as a result, the roles assigned on a lab account are automatically inherited by its child labs.
Lab plans and labs are siblings to each other; this means that labs don’t inherit roles from lab plans.

For example, if you have users that are assigned the Owner or Contributor role at the lab account level, you should instead assign the Owner and Contributor roles at the resource group level for your lab plans. Roles assigned on a lab plan’s resource group will automatically grant permission to all labs within the resource group.

The table below shows recommendations to map roles from Azure Lab Services lab accounts to lab plans.

Role Type	Lab accounts		Lab plans
Role Type	Role	Assignment level	Role	Assignment level
Administrator	Owner	Lab account	Owner	Resource group
Administrator	Contributor	Lab account	Contributor	Resource group
Educator	Lab Creator	Lab account	Lab Creator	Lab plan
	Owner*	Lab	Owner	Resource group or lab
	Contributor*	Lab	Lab Contributor	Lab

* In the earlier version, the lab’s Contributor and Owner roles required that the Reader role also be assigned on the lab account. When using lab plans, you do not need to assign the Reader role at the lab plan or resource group level.

Resource group and lab plan structure

Your organization should invest time up front to plan the structure of your resource groups and lab plans. This is especially important when users are assigned roles at the resource group level because they automatically will have permission to use all resources within the resource group. To ensure that users are only granted permission to the appropriate resources, we recommend that you:

Create resource groups that only contain lab-related resources.
Organize lab plans and labs into separate resource groups according to the users that should have access.

For example, you may want to create separate resource groups for different departments, such as one for Math and another for Engineering, so that each department’s lab resources are isolated from one another. Educators in the Engineering department can then be granted permission at the resource group level, which will only give them access to their department’s labs.

IMPORTANT – You should plan the structure of resource groups and labs plans up front because it’s not possible to move lab plans or labs to a different resource group once they are created.

Permission to multiple resource groups

Administrators and educators can be granted permission to more than one resource group. For example, when an educator is assigned the Lab Contributor role on labs from different resource groups, the educator will be prompted to choose from the list of resource groups to view their labs.

Permission to multiple lab plans

Likewise, administrators and educators can be granted permission to more than one lab plan. For example, when an educator is assigned the Lab Creator role on a resource group that contains more than one lab plan, the educator will be prompted to choose from the list of lab plans during lab creation.

Education scenarios with Azure Lab Services and Azure Virtual Desktop

laurendunlap — Tue, 27 Jun 2023 20:59:04 GMT

Azure has a range of offerings used by educational institutions across the globe. This guide will provide an overview of Azure Lab Services, how it is distinct from Azure Virtual Desktop, as well as share some common use cases for each.

What is Azure Lab Services?

Azure Lab Services enables institutions to quickly set up and manage classroom labs in the cloud.

An educator or facilitator can set up learning environments across Windows or Linux VMs with Marketplace images or customize the exact software and files to include, assign lab VMs to students, manage the student roster, and control students’ VM usage to track engagement as well as manage costs. Students can see all their lab resources in a single view and connect to lab VMs for their projects, assignments, and classroom exercises. Azure Lab Services can also be integrated with Canvas and Teams.

Azure Lab Services is a managed service that simplifies the experience of using Azure resources for teaching and learning. This means that Azure Lab Services fully manages the cloud infrastructure running behind the labs on behalf of the institution. For more information, refer to the Azure Labs documentation.

Azure Lab Services scenarios

Azure Lab Services is best suited to:

Enable educators to set up and manage VMs without technical expertise
Provide learning environments that can be deleted and easily recreated as needed
Track lab engagement and minimize costs by managing students’ usage hours on the VMs
Estimate costs using a simplified pricing model
Provide students with admin access to their own individually assigned VM environment
Link lab environment with existing tools like Canvas and Teams
Create labs with Windows and Linux VMs from a variety of machine sizes including GPU and high memory/CPU
Network isolation of cloud-based lab VMs as they are not required to be domain joined

Below are a few types of classes that institutions run with Azure Lab Services:

Computer programming class – A computer programming class may include a development environment with specific software versions, IDEs like Visual Studio, debugging tools, and emulators. This type of class may also require students to make configuration changes to the VM environment itself.
Data science class – Data science courses are like computer programming classes in that student workloads involve a variety of frameworks and tools. The process to train machine learning models is often GPU\CPU intensive where students may need access to specific hardware for optimal performance.
Cybersecurity class – In a cybersecurity class, students need access to several VM environments so that they can practice scenarios where one VM demonstrates a vulnerability, and another is used to exploit the vulnerability. For this class, each student is provided a Windows Server host VM that has several nested VMs and can be completely isolated from your network.
Digital design class – Students can be assigned a GPU-based lab that includes digital arts and media software like Adobe Creative Cloud or Autodesk, to run on a wide range of devices, including older devices and Chromebooks. A license server can be connected from on-premises or hosted in Azure.

For more information on how to leverage Azure Lab Services for common lab environments, refer to the class types overview.

What is Azure Virtual Desktop?

Azure Virtual Desktop (AVD) is Azure’s platform desktop and app virtualization service. Azure Virtual Desktop, formerly Windows Virtual Desktop, is not necessarily education-specific and addresses a wide range of scenarios.

Azure Virtual Desktop enables organizations to securely deliver Windows virtual desktops and remote apps with maximum control to any device from a flexible cloud virtual desktop infrastructure (VDI) platform. Azure Virtual Desktop can bring together Microsoft 365 and Azure to provide users with the only multi-session Windows 11 and Windows 10 experience, with exceptional scale and reduced IT costs.

Azure Virtual Desktop is a managed service since it oversees the connections to VMs; however, organizations have greater responsibility when it comes to configuring and managing the involved AAD tenant and infrastructure. For more information, refer to the Azure Virtual Desktop documentation.

Azure Virtual Desktop scenarios

Azure Virtual Desktop is best suited to:

Give access to individual Windows line-of business or Microsoft 365 apps
Provide users with continuous, 24-hour access to apps or desktop environments
Minimize costs by sharing and scaling pooled VMs across users

Here are some educational use cases where Azure Virtual Desktop is ideal to use:

Virtual computers for libraries or offices – Institutions looking to replace general-use Windows computers, such as library computers, with a cloud-based offering can use a virtualized environment for this purpose. For example, library computers usually provide students with access to basic applications such as Office and a browser.
Accounting class that only needs Excel – Azure Virtual Desktop’s remote app virtualization is ideal for classes that only need to provide students with access to a single application. For example, an accounting class where the students need to learn and have access to Excel.

There are additional factors that should be considered when choosing between these two offerings. The following table summarizes key comparison points based on the current functionality for each offering.

How are they different?

Refer to the following guide to explore the differences between Azure Lab Services and Azure Virtual Desktop.

Azure Lab Services

Azure Virtual Desktop

Introduction

Overview

Azure Lab Services is a cloud-based lab platform to easily set up and provide on-demand access to preconfigured virtual machines (VMs) to support educational scenarios like teach a class, train professionals, run a hackathon or a hands-on lab, and more. Simply define your needs and the service will roll the lab out to your audience. Users access all their lab VMs from a single place.

Azure Virtual Desktop (formerly Windows Virtual Desktop) is a flexible cloud virtual desktop infrastructure (VDI) platform that securely delivers virtual desktops and remote apps with maximum control and is optimized for flexibility.

Pricing

Each VM incurs cost when run by students which is measured in lab units (bundled compute, network, snapshots, and disks). Billing in this simplified model is at an hourly rate where you only pay for active usage and nothing when VMs are turned off.

Azure Lab Services Pricing

If lab images are saved to a compute gallery or advanced networking is enabled, additional costs may be incurred.

Costs related to Azure Lab Services

Pricing includes user access rights (with an option to use eligible licenses like M365 or CAL) and Azure infrastructure costs (storage, compute, and network) based on usage.

Azure Virtual Desktop pricing

Azure Virtual Desktop consumption costs are the sum of all Azure resource charges for users accessing an AVD host pool.

Understanding total Azure Virtual Desktop deployment costs

Setup

Lab Management

Educators have a simplified experience (that requires no technical expertise) to easily set up and manage labs within the policies established by their IT department.

IT will likely need to set up and manage the pool of VMs and related resources since technical expertise and access to the institution’s Azure subscription is required.

Lab VM Types

Labs can be created with predefined Windows or Linux VMs.

VM sizing with Azure Lab Services

VMs can be provisioned with Windows versions. Linux VMs are not supported.

Integrations

There is Canvas integration as an inherited app. Students only need Canvas permissions. Instructors will need both Azure and Canvas permissions.

Azure Lab Services within Canvas

Azure Lab Services can be set up as a Teams app to sync class rosters and streamline the student experience. Alternatively, Teams can be installed in lab as a collaboration tool.

Azure Lab Services within Microsoft Teams

Azure Lab Services has AAD Group support where a class roster can be synced from a designated AAD Group.

Add lab users from an AAD Group with Azure Lab Services

Teams can be installed within Azure Virtual Desktop for chat and collaboration.

Use Microsoft Teams on Azure Virtual Desktop

Azure Virtual Desktop supports AAD groups and AAD join.

Azure AD join for Azure Virtual Desktop

IT admin

Customize and Reuse Lab VMs

Labs can be created with custom VM images.

Labs can be configured with templates that grant permission for instructors to specific software or files.

RBAC roles with Azure Lab Services

Azure Labs supports free Marketplace images that can be utilized across multiple labs, subscriptions, and regions.

Specify marketplace images for a lab in Azure Lab Services

Save custom images to Azure Compute Gallery or bring a custom image from a VHD.

A custom image can be used with Azure Virtual Desktop that contains all the apps and configuration settings for deployment.

Create an Azure Virtual Desktop golden image

A virtual hard disk (VHD) image can also be uploaded to Azure to provision Azure Virtual Desktop.

Prepare and customize a VHD image of Azure Virtual Desktop - Azure

Azure Virtual Desktop supports capturing images in a Compute Gallery or as a managed image.

Create an Azure Virtual Desktop golden image

Cost control

IT admins and educators can limit exactly how many hours that a student can access a lab VM by setting user schedules and quotas – this ensures the budget is never exceeded. Idle settings can also be configured to shutdown inactive lab VMs.

Cost management guide for Azure Lab Services

IT admins can save costs in Azure Virtual Desktop sharing VMs across users and scaling VMs to automatically start\stop during specified hours.

There is no ability to set user quotas.

Understanding Azure Virtual Desktop deployment costs

Session Sharing

Students are each assigned their own dedicated VM where they connect using a single session.

Azure Virtual Desktop supports dedicated VMs, it also supports multi-session with Windows 11 and Windows 10, which allows multiple concurrent user sessions for cost savings, not collaboration. Multiple students can share a host VM in separate sessions.

Windows 10 and Windows 11 Enterprise multi-session with Azure Virtual Desktop

Instructor

Customize Lab VMs

Instructors may be granted permission to prepare labs with specific software or files for students to use.

Create and manage a template in Azure Lab Services

Azure Virtual Desktop labs are typically configured by an IT admin.

LMS Integration

When a lab is created in Canvas, Azure Lab Services will sync with the class roster.

Azure Lab Services within Canvas

Azure Virtual Desktop does not have direct LMS support.

Teams Integration

Azure Lab Services can be integrated with Teams to sync class rosters and streamline the student experience. Alternatively, Teams can be installed in lab as a collaboration tool.

Azure Lab Services within Microsoft Teams

Teams can be installed within Azure Virtual Desktop for chat and collaboration.

Use Microsoft Teams on Azure Virtual Desktop

Student

Student Account Access

Students connect using a Microsoft account unless using Canvas. There is an option to link a non-Microsoft account with a Microsoft account. Azure Lab Services does not require AAD domain joining, which allows students to connect to the lab VM that is isolated from a school network.

Student accounts with Azure Lab Services

Access a VM (student view) in Azure Lab Services from Canvas

Users will need to authenticate through Azure Active Directory (AAD). Azure Virtual Desktop supports hybrid identities through AAD, including Active Directory Federation Service (AD FS) and hybrid AAD-joined session hosts.

Azure Virtual Desktop identities and authentication

Device Connection

Students may connect from any device that has a native remote desktop client installed; this includes Windows, Android, MacOS or iOS device. Default connectivity for Windows is RDP and default connectivity for Linux is SSH.

How to connect to an Azure Lab Services VM

Same as Azure Labs. In addition, Azure Virtual Desktop supports thin clients, and web access.

Compare the features of the Remote Desktop clients for Azure Virtual Desktop

Persistent Student Workspace

Students’ work and data on the VM is persistent across sessions until a lab’s template VM is republished, or the lab is deleted.

Accelerated lab setup guide for Azure Lab Services

Students can save their work across external locations like OneDrive, GitHub, or Azure Files.

Use external file storage in Azure Lab Services

With FSLogix profile containers, users have persistent access to their user settings and their user profile folder which includes subfolders such as Desktop, Documents, Music, Pictures, etc. User profiles are maintained across VMs and when VMs are reimaged.

Users may be assigned their own dedicated VM so that their work and data is persistent across sessions for the lifetime of the VM.

Azure Virtual Desktop FSLogix profile containers files

Students can be assigned a VM with either an admin or non-admin login.

Create a lab using Azure Lab Services

Students can be granted a local user account on the VM or can be configured with admin account on a dedicated VM.

Manage app groups for Azure Virtual Desktop

Can they be used together?

Yes! Many schools use Azure Lab Services and Azure Virtual Desktop as complementary solutions to meet their requirements in a secure, cost-effective way.

If you would like to learn more, please review this case study on pairing the services together to enable remote learning.

Sheffield Hallam University delivers remote access to business-critical software

How to use the “Lab Services should restrict allowed virtual machine SKU sizes” Azure Policy?

agopinathan — Fri, 02 Sep 2022 16:00:00 GMT

Let’s walkthrough how a lab administrator can allow only non-GPU SKUs, so educators can create only non-GPU SKU labs.

1. In Azure Portal, go to your subscription.

2. Select Policies under Settings.

3. Select Assignment under Authoring.

4. Select Assign Policy.

5. Select the Scope which you would like to assign the policy to. Optionally, you can select a resource group if you would like to apply it to a specific resource group.

6. Select the Policy Definition and search for “Lab Services” and select Lab Services should restrict allowed virtual machine SKU sizes.

7. Select Next.

8. Uncheck the Only show parameters that need input or review to show all parameters.

9. The Allowed SKU names parameter shows SKU names and by default the SKU names applicable are selected . Uncheck the SKUs that shouldn’t be allowed. In our case we will check the following non-GPU SKUs: CLASSIC_FSV2_2_4GB_128_S_SSD, CLASSIC_FSV2_4_8GB_128_S_SSD, CLASSIC_FSV2_8_16GB_128_S_SSD, CLASSIC_DSV4_4_16GB_128_P_SSD, CLASSIC_DSV4_8_32GB_128_P_SSD.

Use the table below to determine which SKU names to apply.

SKU Name	VM Size	VM Size Details
CLASSIC_FSV2_2_4GB_128_S_SSD	Small	2vCPUs, 4GB RAM, 128GB, Standard SSD
CLASSIC_FSV2_4_8GB_128_S_SSD	Medium	4vCPUs, 8GB RAM, 128GB, Standard SSD
CLASSIC_FSV2_8_16GB_128_S_SSD	Large	8vCPUs, 16GB RAM, 128 GB, Standard SSD
CLASSIC_DSV4_4_16GB_128_P_SSD	Medium (Nested virtualization)	4 vCPUs, 16GB RAM, 128 GB, Premium SSD
CLASSIC_DSV4_8_32GB_128_P_SSD	Large (Nested virtualization)	8vCPUs, 32GB RAM, 128GB, Premium SSD
CLASSIC_NCSV3_6_112GB_128_S_SSD	Small GPU (Compute)	6vCPUs, 112GB RAM, 128GB, Standard SSD
CLASSIC_NVV4_8_28GB_128_S_SSD	Small GPU (Visualization)	8vCPUs, 28GB RAM, 128GB, Standard SSD
CLASSIC_NVV3_12_112GB_128_S_SSD	Medium GPU (Visualization)	12vCPUs, 112GB RAM, 128GB, Standard SSD

10. For the Effect, choose the Deny Choosing deny will prevent a lab from even being created if an educator tries to create a lab with a GPU SKU.

11. Select Next.

12. On the Remediation tab, select Next.

13. For the Non-compliance message, provide a non-compliance message of your choice. For example, "selected SKU is not allowed".

14. Select Next.

15. On the Review + Create tab, select Create to create the policy assignment.

We have successfully created a policy assignment for “Lab Services should restrict allowed virtual machine SKU sizes” and allowed only to use non-GPU SKUs for labs. Creating a lab with any other SKU will fail and would not be created. The policy assignment takes 30 minutes to take effect.

Exclusions

When applying a built-in policy, you can choose to exclude certain resources. For example, if the scope of your policy assignment is a subscription, you can exclude resources in a resource group. This is set using the Exclusions property on the Basics tab when creating a policy definition.

However, if you need to exclude a lab plan from a policy assignment the steps are different. The exclusions scope shown in the Basics tab while assigning the policy doesn’t support lab plans.

If you would like to exclude a lab plan resource, you will first need to get the resource id of the lab plan. To get the resource id for the lab plan resource that you want to exclude, do the following:

1. Open the lab plan resource in the Azure portal.

2. Under Settings, select the Properties page.

3. Under the Essentials, copy the Id property.

When creating a policy assignment, enter the lab plan to exclude on the Parameters tab.

4. On the Parameters tab, uncheck Only show parameters that need input or review. For Lab Plan Id to exclude, enter the previously copied resource id of the lab plan.

Thanks,

Lab Services Team

What’s new with Azure Policy for Lab Services?

agopinathan — Thu, 20 Jun 2024 22:36:43 GMT

Azure Lab Services has added 4 built-in Azure policies. Azure Policy help IT administrators to manage and prevent issues automatically. Policy definitions enforce rules and effects for your resource. This blogpost summarizes the new policies available with Azure Lab Services that use lab plan.

Lab Services should enable all options for auto shutdown
Lab Services should not allow template virtual machines for labs
Lab Services should require non-admin user for labs
Lab Services should restrict allowed virtual machine SKU sizes

For a full list of built-in policies, including policies for Lab Services, see Azure Policy built-in policy definitions.

Lab Services should enable all options for auto shutdown

This policy is used to enforce that all shutdown options are enabled while creating the lab. During policy assignment, lab administrators can choose the following effects.

Effect	Behavior
Audit	Labs will show on the compliance dashboard as non-compliant when all shutdown options are not enabled for a lab.
Deny	Lab creation will fail if all shutdown options are not enabled.

Lab Services should not allow template virtual machines for labs

This policy can be used to restrict customization of lab templates. While creating a new lab, there is an option either to “create a template virtual machine” or “Use virtual machine image without customization”. If this policy is enabled, only the “Use virtual machine image without customization” is allowed . During policy assignment, lab administrators can choose the following effects.

Effect	Behavior
Audit	Labs will show on the compliance dashboard as non-compliant when a template virtual machine is used for a lab.
Deny	Lab creation to fail if “create a template virtual machine” option is used for a lab.

Lab Services require non-admin user for labs

This policy is used to enforce using non-admin accounts while creating a lab. When using a lab plan-base lab, you can choose to add a non-admin account to the VM image. This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see Tutorial: Create and publish a lab, which shows how to give a student non-administrator account rather than default administrator account on the “Virtual machine credentials” page of the new lab wizard.
During the policy assignment the lab administrator can choose the following effects.

Effect	Behavior
Audit	Labs show on the compliance dashboard as non-compliant when non-admin accounts is not used while creating the lab.
Deny	Lab creation will fail if “Give lab users a non-admin account on their virtual machines” is not checked while creating a lab.

Lab Services should restrict allowed virtual machine SKU sizes

This policy is used to enforce which SKUs are allowed to be used while creating the lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs since they are not needed for any classes being taught. This policy would allow lab administrators to enforce which SKUs are allowed to be used while creating the lab. During the policy assignment the Lab Administrator can choose the following effects.

Effect	Behavior
Audit	Labs shows on the compliance dashboard as non-compliant when a non-allowed SKU is used while creating the lab.
Deny	Lab creation will fail if SKU chosen while creating a lab is not allowed as per the policy assignment.

In tomorrow’s blogpost we’ll see how to use the “Lab Services should restrict allowed virtual machine SKU sizes” azure policy.

Thanks,

Lab Services Team

References:

Moving from Lab account to Lab plan

RogerBestMSFT — Thu, 20 Jun 2024 22:30:35 GMT

This guide explains how to move from lab accounts to the August update lab plan. We’ll identify which version of the service is being used, discuss some of the differences, and move a lab account to a lab plan.

How can you identify if you are using the newest version?

The easiest way to identify if you are using the latest version is to look in the Azure portal. Labs are visible as resources if you are using lab plans.

How much of a change are lab plan-based labs for educators and students?

While there are a lot of improvements, almost all these changes are not visible to the educator or student. The two version of lab services can live side by side; the educators will see both types of labs in the Labs.Azure.com portal. The students will see all their VMs in the same view, regardless of whether the lab is associated with a lab plan or lab account.

Can I move all my existing resources to the newer version?

Behind the scenes there are custom roles, which we’ll discuss later in the document.

The team worked hard to keep a consistent user experience for educators and students. There are significant updates to the service itself. You can learn more about these distinctions in the Azure Lab Services documentation.

Transition from lab accounts to lab plans

Let’s walk through the recommended next steps for moving from an existing lab account to a lab plan.

Review existing lab account

In your existing lab account, some of the key items to identify are:

Is it peered with a network?
1. The network information is in the Lab account – Lab Settings. This feature will need to be set up during lab plan creation.
What regions are the labs in? or should be?
1. Lab plans allow more specific control of regions, but the specific regions need to be set in the lab plan. While lab accounts don’t have specific Azure regions and there isn’t a direct correlation between the two.
Is there an Azure Compute Gallery (Shared Image gallery)?
1. Multiple lab accounts and lab plans can be connected to a gallery and use the same images simultaneously. The gallery will need to be connected to the lab plan, so labs can use the existing images. Don't forget to enable the images for the new lab plan!
Are custom roles being used?
1. With the addition of more specialized built-in roles, these may not be needed. More information on the new roles is available in the Administrator guide - Azure Lab Services | Microsoft Docs,
How many VMs and what size are you using in the labs under the specific lab account?
Are or would you want labs to be integrated with Teams or Canvas LMS?

Review Resource Group

This is a noticeable change between lab accounts and lab plans. The resource group is more significant when creating labs. It identifies which lab plans are available as a template. In action, the lab creator will select the resource group name in the Labs.Azure.com portal, then when creating a lab select the lab plan in that resource group to be the template.

Start creating a lab plan

The easiest way to is to start creating a new lab plan in the resource group from above.

The first items are the name and the region when creating a lab plan. Lab accounts and lab plans are different types of Azure resources so you can use the same name on the lab plan as your existing lab account name. There is a Naming section in the Administrators guide, if you have questions.

The region you select is the default region that labs can be created in, you can add additional regions after creation.

Advanced networking

If your existing lab account isn’t peered to an Azure Virtual Network skip to the next section. The networking information can be found under Lab Settings – Networking.

In the case where your existing lab account has been peered to a virtual network, lab plans use a different and more flexible connection commonly called “vnet injection”. Both a lab account and lab plan can be connected to the same virtual network as they use different connection types and IP ranges. In the case of a simple licensing server with a virtual network peered to an existing lab account, you can follow these steps to connect to a lab plan.

Create a new subnet for the lab plan.
Delegate the subnet to Microsoft labs.
Add a network security group to allow RDP and SSH access.
Connect virtual network and subnet to Lab Plan.

Depending on the configuration of the virtual network this may be more complex and require adjusting the virtual network. There are specific documents on how to use advanced networking.

Complete creation and request quota

At this point you can finish the lab plan creation; additional changes will need to be made once the lab plan has finished creating.

Lab plans use a new capacity management system, so once the lab plan is created. As the initial number of cores in a lab plan is limited, you should request a limit increase to match what you are using with the current labs in the lab account you are moving. Existing cores in the lab account will NOT be available in the lab plan. The limit increase will need to know which region for the additional cores (see below).

Enable regions

Enabling multiple regions is not required, if you don’t need or want multiple regions continue to the next section. Lab accounts used "geolocations", but Lab plan use Azure Regions.

If you need labs in different regions, you will need to explicitly enable those regions. This can be changed in the Lab Plan – Settings – Enabled Regions. Having multiple regions is not a requirement, you can request cores in a single region and have all the labs in that region. With lab accounts you would select “generalized” regions and the service would select Azure regions depending on need and availability. There isn’t a direct correlation between lab account regions and lab plan regions.

Attach existing Azure Compute Gallery

If the existing lab account does not have an Azure Compute gallery, continue to the next section.

The existing Azure Compute gallery (formerly Shared Image Gallery) can be attached to both a lab account and a lab plan simultaneously. This is in the Lab Plan – Azure Compute Gallery – Attach existing gallery. The images created using labs in the lab account can be used to create labs with a lab plan. There reverse is not true, Labs under a Lab Account cannot use the Lab Plan created mages as Lab Plan based labs support Generation 2 vms.

Images created using Lab Account based labs CAN be used in Lab Plan based labs.
Images created using Lab Plan based labs CANNOT be used in Lab Account based labs.

Roles

If the subscription, resource group, or lab account only has built-in roles add the appropriate roles to the same resource.

If there are custom roles created for the lab account, you will need to review them and determine if one of the new built-in roles can be used instead. If the built-in roles don’t meet your needs, existing roles can be updated to add Microsoft.LabServices/labplans and Microsoft.LabServices/labs actions. If you are unsure of which actions, it is recommended to clone a Lab Services role and adjusting as necessary.

Teams or Canvas integration

If the labs under the lab account were integrated with Teams, labs using a lab plan have the same capabilities.
With the August update labs can be integrated with Canvas LMS systems. If you want this capability, then the lab plan will need to be linked to Canvas.

With that the new lab plan will have the same functionality as the lab account and new labs can be created using it.

Additional information

If there is any supporting code for managing or updating lab accounts, the code will need to be changed to support lab plans and the new model. For more details on the specific languages. Below are links to the different models and code.

There is a Lab Services repository with additional samples on managing lab plan-based version of labs.

Update to Azure Lab Services

planetmaher — Thu, 20 Jun 2024 22:20:02 GMT

The product team has been busy working on fundamental improvements for the service to boost performance, reliability, and scalability. It has been a multi-quarter effort, and we’re excited to announce all the great changes now available! The latest update is a generally available which is intended for running production labs with real students\classes and is backed by the service SLA. We have a bunch of exciting new features, so let’s walk through all the goodness one by one.

Lab plans replace lab accounts. The lab account concept is being replaced with a new concept called a lab plan. Although similar in functionality, there are some fundamental differences between the two concepts. The lab plan serves as a collection of settings that apply to the labs created from it. Also, labs are now an Azure resource and a sibling resource to lab plans.

Canvas Integration. Now, instructors don’t have to leave Canvas to create their labs. Students can connect to a virtual machine from inside their course.

Per customer assigned capacity. No more sharing capacity with others. If your organization has requested more quota, Azure Lab Services will save it just for you.

Advanced networking. Virtual network peering is replaced by virtual network injection. In your own subscription, create a virtual network in the same region as the lab plan and delegate a subnet to Azure Lab Services. Lab plans with advanced networking (i.e., vnet injection) will cause labs to create VMs attached to your virtual network. Checkout our tutorial at Tutorial: Set up lab to lab communication with advanced networking.

Improved auto-shutdown. Auto-shutdown settings are now available for all operating systems!

More built-in roles. Previously, there was only the Lab Creator built-in role. We’ve added a few more roles including Lab Operator and Lab Assistant. Lab operators can manage existing labs, but not create new ones. Lab assistants can only help students by starting, stopping, or redeploying virtual machines. Lab assistants can't adjust quota or set schedules.

Improved cost tracking in Azure Cost Management. Lab virtual machines are now the cost unit tracked in Azure Cost Management. Tags for lab plan ID and lab name are automatically added to each cost entry. If you want to track the cost of a single lab, group the lab VM cost entries together by the lab name tag. Custom tags on labs will also propagate to Azure Cost Management entries to allow further cost analysis.

Updates to lab owner experience. Now you can choose to skip the template creation process when creating a new lab if you already have an image ready to use. We’ve also added the ability to add a non-admin user to lab VMs.

Updates to student experience. Students can now redeploy their VM without losing data. We also updated the registration experience for some scenarios. A lab VM is assigned to students automatically if the lab is set up to use Azure AD group sync, Teams, or Canvas.

SDKs. The Azure Lab Services PowerShell is now be integrated with the Az PowerShell module. Also, check out the .NET SDK and Python SDKs.

Give it a try!

In this release, there are a few known issues:

When using virtual network injection, use caution in making changes to the virtual network and subnet. Changes may cause the lab VMs to stop working. For example, deleting your virtual network will cause all the lab VMs to stop working. We plan to improve this experience in the future, but for now make sure to delete labs before deleting networks.
Moving lab plan and lab resources from one Azure region to another isn't supported.
Azure Compute resource provider must be registered before Azure Lab Services can create and attach an Azure Compute Gallery resource.

We hope you enjoy all the new features! Look for more in-depth blog posts coming soon. For now, check out our updated documentation at https://docs.microsoft.com/azure/lab-services. If you are interested in working with the Azure Lab Services Customer Success team to provide feedback, please fill out our engagement form.

Thanks,

Azure Lab Services Team

What's new in the Azure Lab Services

lucabol — Thu, 20 Jun 2024 22:53:00 GMT

This is a presentation highlighting the new features introduced in the latest preview for Azure Lab Services.

Azure Lab Services Tutorial Video

lucabol — Thu, 20 Jun 2024 22:54:22 GMT

This is a complete tutorial about Azure Lab Services' features. It walks through the steps of setting up a Lab Account, creating a Lab, and accessing it as a student. It includes the latest features available when using lab plans.

How to use Cost Management + Billing to help track Azure Lab Services costs.

RogerBestMSFT — Wed, 01 Jun 2022 17:33:40 GMT

Cost management is one of the top concerns with education, especially with cloud resources. No one wants to be surprised by a large bill at the end of the class session. There are two key methods to getting a better handle on costs. The first method is budgeting, which includes being able to set a target for the maximum cost of a lab, department, or school. Part of the budget is to have alerts that warn the consumer before there is a problem. The second area is analysis, once the lab has costs allocated to it the consumer will be able to review the costs to verify that the usage was appropriate and plan for the next classes budget.

With the release of the Azure Lab Services April 2022 Update (preview), there are several additions that, used in conjunction with Azure Cost Management + Billing, can help you have better view of costs. We’ll look at the analysis first to see the different options that are available to create a budget on. For this example, I’ll analyze the costs for a single lab then add a budget with alerts.

Analyzing costs

To analyze cost, first open the Azure portal and select the “Cost Management + Billing” and go into “Cost Management” and then “Cost Analysis”

In this view you can see the overall costs, the forecasted cost, a budget, and the budget overage. For more details you can check the Cost Management + Billing documentation. For now, we will look at the ways to change the views for the AccumulatedCosts. The first change is the date range, by default the view is set to the current month. But classes and the corresponding labs can be weeks or months long and have start/stop dates that aren’t at the beginning or end of the month. We want to make sure we are seeing all the costs in that timeframe. So, the view can be changed using the “Custom Date Range” to include the entire time the class is running.

Cost for multiple labs (by lab plan)

Now for this example we’ve set up the Azure lab services where each division or group has their own lab plan and every lab is used by a class in that group. We’ll use the new tags to filter down the costs to what we want to see. To do this select the “+filter” pill and select the “Tag” option. A “pill” is the elongated oval shaped button, like a pill, at the upper section of the view. This will add another pill to select the tag name which is “ms-labplanid” for the lab plan. The last pill is the lab plan id value, the id is fairly long and can be truncated in the pulldown. If you hover over a specific option a flyout will show the entire resource id. Once you check the plan id(s) you want, the chart will change to show you all the cost for every lab in the lab plan. This view of the costs can be saved to review at a later date without rebuilding the filter.

Cost per lab

Now that’s nice but let’s dig a little deeper to see the details for a specific lab. We’ll do the same action of adding another tag filter, but this tag name is “ms-labname” and the value is the lab name you want the costs for. Select the filter pill, select “tag”, select “ms-labname”, then choose the lab name you want. The visualization changes to show the costs for just that lab.

Cost for vms

Now the last automatic tag only pertains to labs that have a template vm. This will allow you to filter to only show the cost of the student vms, not the template vm. Following the same pattern with the filter to choose the “Tag”, then the “ms-istemplate” name and select value to be false. Selecting true would only show the template vm cost.

Given the spike of student vm usage you could infer that this was the first day of the class. There is more detailed documentation for common cost analysis uses.

Custom Tags

If you want something with more details than the automatic tags, you can define your own custom tags at either the resource group, the lab plan or the lab level. Any tags on the lab plan will be included in any labs created with it. Custom tags can be added to the specific labs from the Azure Portal or programmatically. The same filtering steps that we did with the automatic tags can be done using the custom tags. There are some constraints on custom tags, like tags aren’t applied to historical data, which are documented in the “Understanding Cost Management Data”.

While the “AccumulatedCosts” view is really good for seeing cost growth and forecasting, the “CostByResource” view gives you a view into the costs per vm. To get there in the view section change “AccumulatedCosts” to “CostByResource”, this will reset the date range and remove all the filters. Change the date range back to the same dates as the class/lab to get all the data. You can either add a filter using the tags for the lab name or enter the lab name in the quick filter at the top of the resource list.

Cost by vm

In the view above there are costs for two vms within the lab that we are analyzing. From the tags vm 0 is the template vm for the lab, the second is a student vm (1). So now to find the student that is burning up money!

The actual vm name isn’t displayed in either the Azure portal (portal.azure.com) or the Labs portal (labs.azure.com), so we’ll have to use to get the detailed vm information. To get this setup you’ll need to:

Open PowerShell (I recommend using PowerShell 7)

Once PowerShell is open here are the commands to install the Az modules and get the lab vms.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force Install-Module Az.LabServices Connect-AzAccount -Subscription <your subscription id> $vm = Get-AzLabServicesVm -LabName <labName> -ResourceGroupName <groupName> -Name <name ie 1> Get-AzLabServicesUser -ResourceId $vm.ClaimedByUserId | Format-List -Property Email

This will give you the email address of the student that is using the vm named 1 in this example. At this point you have detailed information on what the cost is for a specific vm, and the student that the vm is assigned to. Now that we have lab costs down to the individual vm, let’s take a look at budgeting.

Lab Budgeting

So, let’s set up a budget for a lab using the same tags that will send an email alert when costs reach 50%, 75%, and 90% of the budget and when the cost exceeds the budget.

The first item is to create a budget so in the Azure Portal open the “Cost Management + Billing” and go into “Cost Management” and then “Budget”.

We’ll select “ + Add” to create a new budget. In the “Create budget” screen we’ll use the filters to select the lab specific tag. So, select the “Add filter” pill, select “Tag”, then “ms-labname”, and for the value the lab name. Set the name to identify the budget and set the “Reset Period” to monthly. The Creation Date and Expiration date should be the same as the lab. Then set the overall lab budget.

Calculating Budget amount

Budgets are reset on Monthly, Quarterly, or Annually basis. The issue is that the lab costs that are displayed in the lab website (https://labs.azure.com) are for the entire time of the class, which could be for multiple months. The simple solution is to set the budget to be the displayed lab cost divided by the number of months.

Set Alerts

Select “Next” to move to the “Set alerts” page where you can set conditions to send out emails when lab costs reach key percentages. I would recommend that you set up a few alerts to give you early warnings. Below I’ve set up alerts at 50%, 75%, and 90% based on actual usage. Then add in the emails to the appropriate people.

When the lab costs reach the specific percentage of actual cost you’ll receive an email from “azure-noreply@microsoft.com” that will list out the details of the budget, the alert, the cost, and other details.

Now you have a budget specific to a lab that will alert people when costs reach specific cost levels. This is a sample to get you up and running with cost management focused on Azure Lab Services. For more information go to the Cost Management + Billing documentation, there they have tutorials, concept information, How-to guides, references, and samples.

Thanks

Roger