Merge pull request #217654 from ntrogh/als-policy

ttorble · web-flow · commit be1a89d59060 · 2022-11-10T11:38:36.000Z
[Azure Lab Services] Updated Azure policy content
diff --git a/articles/lab-services/TOC.yml b/articles/lab-services/TOC.yml
@@ -307,8 +307,9 @@
     href: /powershell/module/az.labservices/
   - name: Azure CLI
     href: https://github.com/Azure/azure-cli-extensions/tree/main/src/hack
-  - name: Built-in policies
-    href: ../governance/policy/samples/built-in-policies.md#lab-services
+  - name: Azure Policy built-ins
+    displayName: samples, policies, definitions
+    href: ./policy-reference.md
   - name: Microsoft Azure SDK for Python
     href: https://pypi.org/project/azure-mgmt-labservices/
 - name: Resources
diff --git a/articles/lab-services/azure-polices-for-lab-services.md b/articles/lab-services/azure-polices-for-lab-services.md
@@ -1,76 +1,96 @@
 ---
 title: Azure Policies for Lab Services
-description: This article describes the policies available for Azure Lab Services. 
+description: Learn how to use Azure Policy to use built-in policies for Azure Lab Services to make sure your labs are compliant with your requirements.
 ms.topic: conceptual
 ms.author: rosemalcolm
 author: RoseHJM
-ms.date: 08/15/2022
+ms.date: 11/08/2022
 ---
 
-# What’s new with Azure Policy for Lab Services?
+# Use policies to audit and manage Azure Lab Services
 
-Azure Policy helps you manage and prevent IT issues by applying policy definitions that enforce rules and effects for your resource. Azure Lab Services has added four built-in Azure policies. This article summarizes the new policies available in the August 2022 Update for Azure Lab Services. 
+When teams create and run labs on Azure Lab Services, they may face varying requirements to the configuration of resources. Administrators may look for options to control cost, provide customization through templates, or restrict user permissions.
 
-1. Lab Services should enable all options for auto shutdown 
-1. Lab Services should not allow template virtual machines for labs 
-1. Lab Services should require non-admin user for labs 
-1. Lab Services should restrict allowed virtual machine SKU sizes 
+As a platform administrator, you can use policies to lay out guardrails for teams to manage their own resources. [Azure Policy](../governance/policy/index.yml) helps audit and govern resource state. In this article, you learn about available auditing controls and governance practices for Azure Lab Services.
 
-For a full list of built-in policies, including policies for Lab Services, see [Azure Policy built-in policy definitions](../governance/policy/samples/built-in-policies.md#lab-services).
+[!INCLUDE [lab plans only note](./includes/lab-services-new-update-focused-article.md)]
 
+## Policies for Azure Lab Services
 
+[Azure Policy](../governance/policy/index.yml) is a governance tool that allows you to ensure that Azure resources are compliant with your policies.
 
-[!INCLUDE [lab plans only note](./includes/lab-services-new-update-focused-article.md)]
+Azure Lab Services provides a set of policies that you can use for common scenarios with Azure Lab Services. You can assign these policy definitions to your existing subscription or use them as the basis to create your own custom definitions.
+
+Policies can be set at different scopes, such as at the subscription or resource group level. For more information, see the [Azure Policy documentation](../governance/policy/overview.md).
+
+For a full list of built-in policies, including policies for Lab Services, see Azure Policy built-in policy definitions.
 
-## Lab Services should enable all options for auto shutdown
+### Lab Services should enable all options for auto shutdown
 
-This policy enforces that all [shutdown options](how-to-configure-auto-shutdown-lab-plans.md) are enabled while creating the lab. During policy assignment, lab administrators can choose the following effects.  
+This policy enforces that all [shutdown options](how-to-configure-auto-shutdown-lab-plans.md) are enabled while creating the lab.
+
+During policy assignment, lab administrators can choose the following effects:
 
 |**Effect**|**Behavior**|
-|-----|-----|
-|**Audit**|Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when all shutdown options are not enabled for a lab.  |
-|**Deny**|Lab creation will fail if all shutdown options are not enabled. |
+|----------|------------|
+|**Audit** | Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when all shutdown options aren't enabled for a lab.  |
+|**Deny**  | Lab creation will fail if all shutdown options aren't enabled. |
+
+### Lab Services should not allow template virtual machines for labs 
 
-## Lab Services should not allow template virtual machines for labs 
+You can use this policy to restrict [customization of lab templates](tutorial-setup-lab.md). When you create a new lab, you can choose to *Create a template virtual machine* or *Use virtual machine image without customization*. If this policy is enabled, only *Use virtual machine image without customization* is allowed. 
 
-This policy can be used to restrict [customization of lab templates](tutorial-setup-lab.md). When you create a new lab, you can select to *Create a template virtual machine* or *Use virtual machine image without customization*. If this policy is enabled, only *Use virtual machine image without customization* is allowed. During policy assignment, lab administrators can choose the following effects.  
+During policy assignment, lab administrators can choose the following effects:
 
 |**Effect**|**Behavior**|
-|-----|-----|
-|**Audit**|Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a template virtual machine is used for a lab.|
-|**Deny**|Lab creation to fail if “create a template virtual machine” option is used for a lab.|
+|----------|------------|
+|**Audit** |Labs will show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a template virtual machine is used for a lab.|
+|**Deny**  |Lab creation will fail if *Create a template virtual machine* option is used for a lab.|
 
-## Lab Services requires non-admin user for labs 
+### Lab Services requires non-admin user for labs 
 
-This policy is used to enforce using non-admin accounts while creating a lab. With the August 2022 Update, you can choose to add a non-admin account to the VM image.  This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see [Tutorial: Create and publish a lab](tutorial-setup-lab.md#create-a-lab), which shows how to give a student non-administrator account rather than default administrator account on the “Virtual machine credentials” page of the new lab wizard.  
+Use this policy to enforce using non-admin accounts while creating a lab. With the August 2022 Update, you can choose to add a non-admin account to the VM image.  This new feature allows you to keep separate credentials for VM admin and non-admin users. For more information to create a lab with a non-admin user, see [Tutorial: Create and publish a lab](tutorial-setup-lab.md#create-a-lab). The tutorial shows how to give a student a non-administrator account rather than default administrator account on the **Virtual machine credentials** page in the new lab wizard.
 
-During the policy assignment, the lab administrator can choose the following effects. 
+During the policy assignment, the lab administrator can choose the following effects:
 
 |**Effect**|**Behavior**|
-|-----|-----|
-|**Audit**|Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when non-admin accounts are not used while creating the lab.|
-|**Deny**|Lab creation will fail if “Give lab users a non-admin account on their virtual machines” is not checked while creating a lab.|
+|----------|------------|
+|**Audit** |Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when non-admin accounts aren't used while creating the lab.|
+|**Deny**  |Lab creation will fail if *Give lab users a non-admin account on their virtual machines* isn't checked while creating a lab.|
+
+### Lab Services should restrict allowed virtual machine SKU sizes
 
-## Lab Services should restrict allowed virtual machine SKU sizes
-This policy is used to enforce which SKUs can be used while creating the lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs since they are not needed for any classes being taught. This policy would allow lab administrators to enforce which SKUs can be used while creating the lab. 
-During the policy assignment, the Lab Administrator can choose the following effects.
+This policy enforces which SKUs can be used while creating a lab. For example, a lab administrator might want to prevent educators from creating labs with GPU SKUs, since they aren't needed for any classes being taught.
+
+During the policy assignment, the Lab Administrator can choose the following effects:
 
 |**Effect**|**Behavior**|
-|-----|-----|
-|**Audit**|Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a non-allowed SKU is used while creating the lab.|
-|**Deny**|Lab creation will fail if SKU chosen while creating a lab is not allowed as per the policy assignment.|
+|----------|------------|
+|**Audit** |Labs show on the [compliance dashboard](../governance/policy/assign-policy-portal.md#identify-non-compliant-resources) as non-compliant when a non-allowed SKU is used while creating the lab.|
+|**Deny**  |Lab creation will fail if the selected SKU while creating a lab isn't allowed as per the policy assignment.|
+
+## Assigning built-in policies
+
+To view the built-in policy definitions related to Azure Lab Services, use the following steps:
+
+1. Go to **Azure Policy** in the [Azure portal](https://portal.azure.com).
+1. Select **Definitions**.
+1. For **Type**, select *Built-in*, and for **Category**, select **Lab Services**.
+
+From here, you can select policy definitions to view them. While viewing a definition, you can use the **Assign** link to assign the policy to a specific scope, and configure the parameters for the policy. For more information, see [Assign a policy - portal](../governance/policy/assign-policy-portal.md).
+
+You can also assign policies by using [Azure PowerShell](../governance/policy/assign-policy-powershell.md), [Azure CLI](../governance/policy/assign-policy-azurecli.md), and [templates](../governance/policy/assign-policy-template.md).
 
 ## Custom policies
 
-In addition to the new built-in policies described above, you can create and apply custom policies. This technique is helpful in situations where none of the built-in policies apply or where you need more granularity. 
+In addition to the new built-in policies described above, you can create and apply custom policies. This technique is helpful in situations where none of the built-in policies apply or where you need more granularity.
 
 Learn how to create custom policies:
 - [Tutorial: Create and manage policies to enforce compliance](../governance/policy/tutorials/create-and-manage.md).
 - [Tutorial: Create a custom policy definition](../governance/policy/tutorials/create-custom-policy-definition.md).
 
 ## Next steps
 
-See the following articles:
 - [How to use the Lab Services should restrict allowed virtual machine SKU sizes Azure policy](how-to-use-restrict-allowed-virtual-machine-sku-sizes-policy.md)
-- [Built-in Policies](../governance/policy/samples/built-in-policies.md#lab-services)
+- [Built-in policies for Azure Lab Services](./policy-reference.md)
 - [What is Azure policy?](../governance/policy/overview.md)
diff --git a/articles/lab-services/policy-reference.md b/articles/lab-services/policy-reference.md
@@ -0,0 +1,29 @@
+---
+title: Built-in policy definitions for Lab Services
+description: Lists Azure Policy built-in policy definitions for Azure Lab Services. These built-in policy definitions provide common approaches to managing your Azure resources.
+ms.date: 11/08/2022
+ms.topic: reference
+author: ntrogh
+ms.author: nicktrog
+ms.service: lab-services
+ms.custom: subject-policy-reference
+---
+# Azure Policy built-in definitions for Azure Lab Services
+
+This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy
+definitions for Azure Lab Services. For additional Azure Policy built-ins for other services, see
+[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).
+
+The name of each built-in policy definition links to the policy definition in the Azure portal. Use
+the link in the **Version** column to view the source on the
+[Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
+
+## Azure Lab Services
+
+[!INCLUDE [azure-policy-reference-rp-lab-services](../../includes/policy/reference/byrp/microsoft.labservices.md)]
+
+## Next steps
+
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
+- Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).
+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).
