You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: This article describes how to use Azure DevTest Labs for creating labs on Azure for training scenarios.
5
5
services: lab-services
6
6
ms.service: lab-services
7
-
author: ntrogh
8
-
ms.author: nicktrog
9
-
ms.topic: conceptual
10
-
ms.date: 04/04/2023
7
+
author: RoseHJM
8
+
ms.author: rosemalcolm
9
+
ms.topic: concept-article
10
+
ms.date: 03/07/2024
11
+
#customer intent: As a training specialist, I want to learn how organizational roles map to permissions, so that I can determine the roles and responsibilities for setting up a training environment for my enterprise.
11
12
---
12
13
13
-
# Use labs for trainings
14
+
# Organizational role concepts for trainings in Azure Lab Services
14
15
15
-
In this article, you learn about the different features and steps for using Azure Lab Services for conducting classes. Azure Lab Services allows educators (teachers, professors, trainers, or teaching assistants, etc.) to quickly and easily create an online lab to provision preconfigured learning environments for the trainees. Each trainee can use identical and isolated environments for the training. Apply policies to ensure that the training environments are available to each trainee only when they need them, and contain enough resources - such as virtual machines - required for the training.
16
+
In this article, you learn about the different features and steps for using Azure Lab Services for conducting classes. Azure Lab Services supports educators, such as teachers, professors, training specialists, trainers, and teaching assistants. An educator can quickly and easily create an online lab to provision preconfigured learning environments for the trainees.
16
17
17
-
:::image type="content" source="./media/classroom-labs-scenarios/classroom.png" alt-text="Conceptual artwork that shows a teacher and students in a classroom, using Azure Lab Services.":::
18
+
:::image type="content" source="./media/classroom-labs-scenarios/classroom.png" alt-text="Conceptual artwork that shows a teacher and students in a classroom, using Azure Lab Services." lightbox="./media/classroom-labs-scenarios/classroom.png":::
19
+
20
+
Each trainee can use identical and isolated environments for the training. Educators can apply policies to ensure that the training environments are available to each trainee only when they need them. The environments contain enough resources, such as virtual machines, required for the training.
21
+
22
+
## Mapping organizational roles to permissions
18
23
19
24
Labs meet the following requirements for conducting training in any virtual environment:
20
25
21
26
- Trainees can quickly provision their training environments
22
-
- Every training machine should be identical
27
+
- Every training machine is identical
23
28
- Trainees can't see VMs created by other trainees
24
-
- Control cost by ensuring that trainees can't get more VMs than they need for the training and also shutdown VMs when they aren't using them
25
-
- Easily share the training lab with each trainee
26
-
- Reuse the training lab again and again
27
-
28
-
## Mapping organizational roles to permissions
29
+
- You can control cost by ensuring that trainees can't get more VMs than they need for the training and also shutdown VMs when they aren't in use
30
+
- You can easily share the training lab with each trainee
31
+
- You can reuse the training lab again and again
29
32
30
-
Azure Lab Services uses Azure Role-Based Access (Azure RBAC) to manage access to Azure Lab Services. For more information, see the [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles). Using Azure RBAC lets you clearly separate roles and responsibilities for creating and managing labs across different teams and people in your organization.
33
+
Azure Lab Services uses Azure Role-Based Access (Azure RBAC) to manage access to Azure Lab Services. For more information, see the [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles). Azure RBAC lets you clearly separate roles and responsibilities for creating and managing labs across different teams and people in your organization.
31
34
32
-
Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your organizational roles or personas, such as administrators, or educators. The scenarios and diagrams also include students to show where they fit in the process, although they don't require Microsoft Entra permissions.
35
+
Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your roles or personas, such as administrators or educators. These scenarios and diagrams also include students to show where they fit in the process, although they don't require Microsoft Entra permissions.
33
36
34
37
The following sections give different examples of assigning permissions across an organization. Azure Lab Services enables you to flexibly assign permissions beyond these typical scenarios to match your organizational setup.
35
38
36
39
### Scenario 1: Splitting responsibilities between IT department and educators
37
40
38
-
In this scenario, the IT department, service providers, or administrators manage the Azure subscription(s). They're responsible for creating the Azure Lab Services lab plan and then grant the educators permission to create labs in the lab plan. The educator invites students to register for and connect to a lab VM.
41
+
In this scenario, the IT department, service providers, or administrators manage the Azure subscriptions. They're responsible for creating the Azure Lab Services lab plan. Then, they grant the permission to create labs in the lab plan. The educator invites students to register and connect to a lab VM.
39
42
40
-
In your organization structure, the administrator activities might be further split across subteams. For example, one team might be responsible for the configuration of virtual networks for advanced networking (central IT). And the creation of the lab plan and other Azure resources might be the responsibility of another team (department IT).
43
+
In your organization, you might further split the administrator activities across teams. For example, one team might be responsible for the configuration of virtual networks for advanced networking (central IT). The creation of the lab plan and other Azure resources might be the responsibility of another team (department IT).
41
44
42
45
Get started as an administrator with the [Quickstart: set up the resources for creating labs](./quick-create-resources.md).
43
46
44
47
Get started as an educator with the [Tutorial: set up a lab for classroom training](./tutorial-setup-lab.md).
45
48
46
-
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png" alt-text="Diagram that shows lab creation steps where admins create the lab plan and educators create the lab.":::
49
+
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png" alt-text="Diagram that shows lab creation steps where admins create the lab plan and educators create the lab." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png":::
47
50
48
51
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
49
52
50
53
| Org. role | Microsoft Entra role | Description |
51
54
| --- | --- | --- |
52
-
| Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. |
55
+
| Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in the Azure portal. |
53
56
| Educator | Lab Creator | Create and manage the labs they created. |
54
-
|| Lab Contributor | Optionally, assign to an educator to create and manage all labs (when assigned at the resource group level). |
55
-
|| Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
56
-
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
57
+
|| Lab Contributor | Optionally, assign to an educator to create and manage all labs, when assigned at the resource group level. |
58
+
|| Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
59
+
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted accesswhen they use[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
57
60
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
58
61
59
62
### Scenario 2: The IT department owns the entire lab creation process
60
63
61
64
In this scenario, the IT department (administrators) creates both the Azure Lab Services lab plan and lab. Optionally, the administrator grants educators permissions to manage lab users and configure lab settings, such as quotas and schedules. This scenario might be useful in cases where educators can't or don't want to set up and customize the lab.
62
65
63
-
As mentioned in [scenario 1](#scenario-1-splitting-responsibilities-between-it-department-and-educators), the administrator tasks for creating the lab plan might also be split across multiple subteams.
66
+
As mentioned in [scenario 1](#scenario-1-splitting-responsibilities-between-it-department-and-educators), the administrator tasks for creating the lab plan might also be split across administrator teams.
64
67
65
68
Get started as an administrator with the [Quickstart: create and connect to a lab](./quick-create-connect-lab.md).
66
69
67
70
Get started as an educator and [add students to a lab](./how-to-manage-lab-users.md), or [create a lab schedule](./how-to-create-schedules.md).
68
71
69
-
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png" alt-text="Diagram that shows lab creation steps where admins own the entire process.":::
72
+
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png" alt-text="Diagram that shows lab creation steps where admins own the entire process." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png":::
70
73
71
74
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
72
75
73
76
| Org. role | Microsoft Entra role | Description |
74
77
| --- | --- | --- |
75
-
| Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. |
76
-
| Educator | - Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
77
-
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
78
+
| Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in the Azure portal. |
79
+
| Educator | - Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
80
+
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted accesswhen they use[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
78
81
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
79
82
80
83
### Scenario 3: The educator owns the entire lab creation process
@@ -83,18 +86,18 @@ In this scenario, the educator manages their Azure subscription and manages the
83
86
84
87
Get started as an administrator with the [Quickstart: create and connect to a lab](./quick-create-connect-lab.md) and then [add students to a lab](./how-to-manage-lab-users.md), and [create a lab schedule](./how-to-create-schedules.md).
85
88
86
-
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png" alt-text="Diagram that shows lab creation steps where educators own the entire process.":::
89
+
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png" alt-text="Diagram that shows lab creation steps where educators own the entire process." lightbox="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png":::
87
90
88
91
The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
89
92
90
93
| Org. role | Microsoft Entra role | Description |
91
94
| --- | --- | --- |
92
-
| Educator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. As an Owner, you can also fully manage all labs. |
93
-
|| Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
94
-
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
95
+
| Educator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in the Azure portal. As an Owner, you can also fully manage all labs. |
96
+
|| Lab Assistant | Optionally, assign to other educators to help support lab students. They might reimage, start, stop, and connect lab VMs. |
97
+
| Student || Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration. Students are automatically granted accesswhen they use[Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
95
98
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. |
96
99
97
-
## Next steps
100
+
## Related content
98
101
99
102
- Learn more about [setting up example class types](./class-types.md).
100
103
- Get started by following the steps in the tutorial [Set up a lab for classroom training](./tutorial-setup-lab.md).
0 commit comments