Merge pull request #231510 from ntrogh/als-attach-gallery

[Azure Lab Services] Attach compute gallery: include guest user prereqs

Author: ttorble

articles/lab-services/how-to-attach-detach-shared-image-gallery.md

@@ -19,7 +19,7 @@ This article shows how to attach or detach an Azure compute gallery to a lab pla
 > [!IMPORTANT]
 > To show a virtual machine image in the list of images during lab creation, you need to replicate the compute gallery image to the same region as the lab plan. You need to manually [replicate images](../virtual-machines/shared-image-galleries.md) to other regions in the compute gallery.
 
-Saving images to a compute gallery and replicating those images incurs additional cost. This cost is separate from the Azure Lab Services usage cost. Learn more about [Azure Compute Gallery pricing](../virtual-machines/azure-compute-gallery.md#billing).
+Saving images to a compute gallery and replicating those images incurs extra cost. This cost is separate from the Azure Lab Services usage cost. Learn more about [Azure Compute Gallery pricing](../virtual-machines/azure-compute-gallery.md#billing).
 
 ## Prerequisites
 
@@ -32,7 +32,9 @@ Saving images to a compute gallery and replicating those images incurs additiona
     | [Owner](/azure/role-based-access-control/built-in-roles#owner) | Azure compute gallery | If you attach an existing compute gallery. |
     | [Owner](/azure/role-based-access-control/built-in-roles#owner) | Resource group | If you create a new compute gallery. |
 
-    Learn how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).
+- If your Azure account is a guest user in Azure Active Directory, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to attach an existing compute gallery.
+
+Learn how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).
 
 ## Scenarios
 
@@ -74,19 +76,20 @@ If you already have an Azure compute gallery, you can also attach it to your lab
 
 ### Configure compute gallery permissions
 
-The Azure Lab Services service principal needs to have the Owner Azure RBAC role on the Azure compute gallery. There are two Azure Lab Services service principals:
+The Azure Lab Services service principal needs to have the [Owner](/azure/role-based-access-control/built-in-roles#owner) Azure RBAC role on the Azure compute gallery. There are two Azure Lab Services service principals:
 
 | Name | Application ID | Description |
 | ---- | ----- | ---- |
 | Azure Lab Services | c7bb12bf-0b39-4f7f-9171-f418ff39b76a | Service principal for Azure Lab Services lab plans (V2). |
 | Azure Lab Services | 1a14be2a-e903-4cec-99cf-b2e209259a0f | Service principal for Azure Lab Services lab accounts (V1). |
 
-To attach a compute gallery to a lab plan, assign the Owner role to the service principal with application ID `c7bb12bf-0b39-4f7f-9171-f418ff39b76a`.
+To attach a compute gallery to a lab plan, assign the [Owner](/azure/role-based-access-control/built-in-roles#owner) role to the service principal with application ID `c7bb12bf-0b39-4f7f-9171-f418ff39b76a`.
+
+If your Azure account is a guest user, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to perform the role assignment. Learn about [role assignments for guest users](/azure/role-based-access-control/role-assignments-external-users#guest-user-cannot-browse-users-groups-or-service-principals-to-assign-roles).
 
-> [!NOTE]
-> When you add a role assignment in the Azure portal, the user interface shows the *object ID* of the service principal, which is different from the *application ID*. The object ID for a service principal can be different in each Azure subscription. You can find the service principal object ID in Azure Active Directory, based on its application ID. Learn more about [Service principal objects](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object).
+# [Azure CLI](#tab/azure-cli)
 
-Follow these steps to grant permissions to the Azure Lab Service service principal by using the Azure CLI:
+Follow these steps to grant permissions to the Azure Lab Services service principal by using the Azure CLI:
 
 1. Open [Azure Cloud Shell](https://shell.azure.com). Alternately, select the **Cloud Shell** button on the menu bar at the upper right in the [Azure portal](https://portal.azure.com).
 
@@ -116,6 +119,32 @@ Follow these steps to grant permissions to the Azure Lab Service service princip
 
         Replace the text placeholders *`<service-principal-object-id>`* and *`<gallery-id>`* with the outcomes of the previous commands.
 
+# [Azure portal](#tab/portal)
+
+When you add a role assignment in the Azure portal, the user interface shows the *object ID* of the service principal, which is different from the *application ID*. The object ID for a service principal is different in each Azure subscription. Learn more about [Service principal objects](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object).
+
+Follow these steps to grant permissions to the Azure Lab Services service principal by using the Azure portal:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. In the search box at the top, enter *Enterprise applications*, and select **Enterprise applications** from the services list.
+1. On the **All applications** page, remove the **Application type** filter, and enter *c7bb12bf-0b39-4f7f-9171-f418ff39b76a* in the **Application ID starts with** filter.
+
+    :::image type="content" source="./media/how-to-attach-detach-shared-image-gallery/lab-services-enterprise-applications.png" alt-text="Screenshot that shows the list of enterprise applications in the Azure portal, highlighting the application ID filter." lightbox="./media/how-to-attach-detach-shared-image-gallery/lab-services-enterprise-applications.png":::
+
+1. Note the **Object ID** value of the Azure Lab Services service principal.
+1. Go to your Azure compute gallery resource.
+1. Select **Access control (IAM)**, and then select **Add** > **Add role assignment**.
+1. On the **Role** page, select the **Owner** role from the list.
+1. On the **Members** page, select **Select members**.
+1. Enter *Azure Lab Services** in the search box, select both items, and then select **Select**.
+1. In the **Add role assignment** page, remove the item that doesn't match the object ID of the Azure Lab Services service principal.
+
+    :::image type="content" source="./media/how-to-attach-detach-shared-image-gallery/compute-gallery-add-role-assignment.png" alt-text="Screenshot that shows the add role assignment page for the compute gallery in the Azure portal." lightbox="./media/how-to-attach-detach-shared-image-gallery/compute-gallery-add-role-assignment.png":::
+
+1. On the **Review + Assign** page, select **Review + assign** to add the role assignment to the compute gallery.
+
+---
+
 Learn more about how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).
 
 ### Attach the compute gallery