Merge pull request #209008 from RoseHJM/azlab-azure-policies

New concept article and how to for Lab Services Azure policies

Author: v-regandowner

articles/lab-services/TOC.yml

@@ -60,6 +60,8 @@
     href: capacity-limits.md  
   - name: Cost management for labs
     href: cost-management-guide.md
+  - name: Azure Policies for Lab Services
+    href: azure-polices-for-lab-services.md
   - name: Reliability
     items:
     - name: Reliability in Azure Lab Services
@@ -163,6 +165,8 @@
       href: how-to-configure-firewall-settings.md
     - name: Configure regions for labs
       href: create-and-configure-labs-admin.md
+    - name: Restrict VM sizes allowed for labs
+      href: how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy.md 
   - name: Create & configure labs (educator)
     items:        
     - name: Create and manage labs

articles/lab-services/azure-polices-for-lab-services.md

@@ -0,0 +1,68 @@
+---
+title: Azure Policies for Lab Services
+description: This article describes the policies available for Azure Lab Services. 
+ms.topic: conceptual
+ms.author: rosemalcolm
+author: RoseHJM
+ms.date: 08/15/2022
+---
+
+# What’s new with Azure Policy for Lab Services?
+
+Azure Policy helps you manage and prevent IT issues by applying policy definitions that enforce rules and effects for your resource. Azure Lab Services has added four built-in Azure policies. This article summarizes the new policies available in the August 2022 Update for Azure Lab Services. 
+
+1. Lab Services should enable all options for auto shutdown 
+1. Lab Services should not allow template virtual machines for labs 
+1. Lab Services should require non-admin user for labs 
+1. Lab Services should restrict allowed virtual machine SKU sizes 
+
+For a full list of built-in policies, including policies for Lab Services, see [Azure Policy built-in policy definitions](/azure/governance/policy/samples/built-in-policies#lab-services).
+
+
+
+[!INCLUDE [lab plans only note](./includes/lab-services-new-update-focused-article.md)]
+
+## Lab Services should enable all options for auto shutdown
+
+This policy enforces that all [shutdown options](how-to-configure-auto-shutdown-lab-plans.md) are enabled while creating the lab. During policy assignment, lab administrators can choose the following effects.  
+
+|**Effect**|**Behavior**|
+|-----|-----|
+|**Audit**|Labs will show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when all shutdown options are not enabled for a lab.  |
+|**Deny**|Lab creation will fail if all shutdown options are not enabled. |
+
+## Lab Services should not allow template virtual machines for labs 
+
+This policy can be used to restrict [customization of lab templates](tutorial-setup-lab.md). When you create a new lab, you can select to *Create a template virtual machine* or *Use virtual machine image without customization*. If this policy is enabled, only *Use virtual machine image without customization* is allowed. During policy assignment, lab administrators can choose the following effects.  
+
+|**Effect**|**Behavior**|
+|-----|-----|
+|**Audit**|Labs will show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when a template virtual machine is used for a lab.|
+|**Deny**|Lab creation to fail if “create a template virtual machine” option is used for a lab.|
+
+## Lab Services require non-admin user for labs 
+
+This policy is used to enforce using non-admin accounts while creating a lab. With the August 2022 Update, you can choose to add a non-admin account to the VM image.  This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see [Tutorial: Create and publish a lab](tutorial-setup-lab.md#create-a-lab), which shows how to give a student non-administrator account rather than default administrator account on the “Virtual machine credentials” page of the new lab wizard.  
+
+During the policy assignment, the lab administrator can choose the following effects. 
+
+|**Effect**|**Behavior**|
+|-----|-----|
+|**Audit**|Labs show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when non-admin accounts is not used while creating the lab.|
+|**Deny**|Lab creation will fail if “Give lab users a non-admin account on their virtual machines” is not checked while creating a lab.|
+
+## Lab Services should restrict allowed virtual machine SKU sizes
+This policy is used to enforce which SKUs can be used while creating the lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs since they are not needed for any classes being taught. This policy would allow lab administrators to enforce which SKUs can be used while creating the lab. 
+During the policy assignment, the Lab Administrator can choose the following effects.
+
+|**Effect**|**Behavior**|
+|-----|-----|
+|**Audit**|Labs show on the [compliance dashboard](/azure/governance/policy/assign-policy-portal#identify-non-compliant-resources) as non-compliant when a non-allowed SKU is used while creating the lab.|
+|**Deny**|Lab creation will fail if SKU chosen while creating a lab is not allowed as per the policy assignment.|
+
+## Next steps
+
+See the following articles:
+- [How to use the Lab Services should restrict allowed virtual machine SKU sizes Azure policy](how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy.md)
+- [Built-in Policies](/azure/governance/policy/samples/built-in-policies#lab-services)
+- [What is Azure policy?](/azure/governance/policy/overview)

articles/lab-services/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy.md

@@ -0,0 +1,110 @@
+---
+title: How to restrict the virtual machine sizes allowed for labs
+description: Learn how to use the Lab Services should restrict allowed virtual machine SKU sizes Azure Policy to restrict educators to specified virtual machine sizes for their labs.  
+ms.topic: how-to
+ms.author: rosemalcolm
+author: RoseHJM
+ms.date: 08/23/2022
+---
+
+# How to restrict the virtual machine sizes allowed for labs
+
+In this how to, you'll learn how to use the *Lab Services should restrict allowed virtual machine SKU sizes* Azure policy to control the SKUs available to educators when they're creating labs.  In this example, you'll see how a lab administrator can allow only non-GPU SKUs, so educators can create only non-GPU SKU labs.
+
+[!INCLUDE [lab plans only note](./includes/lab-services-new-update-focused-article.md)]
+
+## Configure the policy
+
+1.	In the [Azure portal](https://portal.azure.com), go to your subscription.
+
+1.	From the left menu, under **Settings**, select **Policies**.
+
+1.	Under **Authoring**, select **Assignments**.
+
+1.	Select **Assign Policy**.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy.png" alt-text="Screenshot showing the Policy Compliance dashboard with Assign policy highlighted."::: 
+
+1.	Select the **Scope** which you would like to assign the policy to, and then select **Select**. 
+    You can also select a resource group if you need the policy to apply more granularly.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-basics-scope.png" alt-text="Screenshot showing the Scope pane with subscription highlighted."::: 
+
+1.	Select Policy Definition. In Available definitions, search for *Lab Services*, select **Lab Services should restrict allowed virtual machine SKU sizes** and then select **Select**.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-basics-definitions.png" alt-text="Screenshot showing the Available definitions pane with Lab Services should restrict allowed virtual machine SKU sizes highlighted. "::: 
+
+1.	On the Basics tab, select **Next**.
+
+1.	On the Parameters tab, clear **Only show parameters that need input or review** to show all parameters.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters.png" alt-text="Screenshot showing the Parameters tab with Only show parameters that need input or review highlighted. "::: 
+
+1.	The **Allowed SKU names** parameter shows the SKUs allowed when the policy is applied. By default all the available SKUs are allowed. You must clear the check boxes for any SKU that you don't wish to allow educators to use to create labs. In this example, only the following non-GPU SKUs are allowed:
+    - CLASSIC_FSV2_2_4GB_128_S_SSD 
+    - CLASSIC_FSV2_4_8GB_128_S_SSD 
+    - CLASSIC_FSV2_8_16GB_128_S_SSD 
+    - CLASSIC_DSV4_4_16GB_128_P_SSD 
+    - CLASSIC_DSV4_8_32GB_128_P_SSD 
+
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters-vms.png" alt-text="Screenshot showing the Allowed SKUs.":::
+
+    Use the table below to determine which SKU names to apply.
+
+    |SKU Name|VM Size|VM Size Details|
+    |-----|-----|-----|
+    |CLASSIC_FSV2_2_4GB_128_S_SSD|	Small 	|2vCPUs, 4 GB RAM, 128 GB, Standard SSD
+    |CLASSIC_FSV2_4_8GB_128_S_SSD|	Medium |4vCPUs, 8 GB RAM, 128 GB, Standard SSD
+    |CLASSIC_FSV2_8_16GB_128_S_SSD|	Large 	|8vCPUs, 16 GB RAM, 128 GB, Standard SSD
+    |CLASSIC_DSV4_4_16GB_128_P_SSD|	Medium (Nested virtualization)	|4 vCPUs, 16 GB RAM, 128 GB, Premium SSD
+    |CLASSIC_DSV4_8_32GB_128_P_SSD|	Large (Nested virtualization)	|8vCPUs, 32 GB RAM, 128 GB, Premium SSD
+    |CLASSIC_NCSV3_6_112GB_128_S_SSD|	Small GPU (Compute)	|6vCPUs, 112 GB RAM, 128 GB, Standard SSD
+    |CLASSIC_NVV4_8_28GB_128_S_SSD|	Small GPU (Visualization)	|8vCPUs, 28 GB RAM, 128 GB, Standard SSD
+    |CLASSIC_NVV3_12_112GB_128_S_SSD|	Medium GPU (Visualization)	|12vCPUs, 112 GB RAM, 128 GB, Standard SSD
+
+1.	In **Effect**, select **Deny**. Selecting deny will prevent a lab from being created if an educator tries to use a GPU SKU.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-parameters-effect.png" alt-text="Screenshot showing the effect list.":::
+
+1.	Select **Next**. 
+ 
+1.	On the Remediation tab, select **Next**.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-remediation.png" alt-text="Screenshot showing the Remediation tab with Next highlighted.":::
+ 
+1.	On the Non-compliance tab, in **Non-compliance messages**, enter a non-compliance message of your choice like “Selected SKU is not allowed”, and then select **Next**.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-message.png" alt-text="Screenshot showing the Non-compliance tab with an example non-compliance message.":::
+
+1.	On the Review + Create tab, select **Create** to create the policy assignment.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-review-create.png" alt-text="Screenshot showing the Review and Create tab.":::
+
+You've created a policy assignment for *Lab Services should restrict allowed virtual machine SKU sizes* and allowed only the use of non-GPU SKUs for labs. Attempting to create a lab with any other SKU will fail.
+
+> [!NOTE]
+> New policy assignments can take up to 30 minutes to take effect.
+
+## Exclude resources
+
+When applying a built-in policy, you can choose to exclude certain resources, with the exception of lab plans.  For example, if the scope of your policy assignment is a subscription, you can exclude resources in a specified resource group.  Exclusions are configured using the Exclusions property on the Basics tab when creating a policy definition.
+
+:::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-basics-exclusions.png" alt-text="Screenshot showing the Basics tab with Exclusions highlighted.":::
+
+
+## Exclude a lab plan
+
+Lab plans cannot be excluded using the Exclusions property on the Basics tab. To exclude a lab plan from a policy assignment, you first need to get the lab plan resource ID, and then use it to specify the lab pan you want to exclude on the Parameters tab.
+
+### Locate and copy lab plan resource ID
+Use the following steps to locate and copy the resource ID so that you can paste it into the exclusion configuration.   
+1.	In the [Azure portal](https://portal.azure.com), go to the lab plan you want to exclude. 
+
+1.	Under Settings, select Properties, and then copy the **Resource ID**.
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/resource-id.png" alt-text="Screenshot showing the lab plan properties with resource ID highlighted.":::
+
+### Enter the lab plan to exclude in the policy
+Now you have a lab plan resource ID, you can use it to exclude the lab plan as you assign the policy.
+1.	On the Parameters tab, clear **Only show parameters that need input or review**.
+1.	For **Lab Plan ID to exclude**, enter the lab plan resource ID you copied earlier. 
+    :::image type="content" source="./media/how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy/assign-policy-exclude-lab-plan-id.png" alt-text="Screenshot showing the Parameter tab with Lab Plan ID to exclude highlighted.":::
+
+
+## Next steps
+See the following articles:
+- [What’s new with Azure Policy for Lab Services?](azure-polices-for-lab-services.md)
+- [Built-in Policies](/azure/governance/policy/samples/built-in-policies#lab-services)
+- [What is Azure policy?](/azure/governance/policy/overview)
+