Automatically remove users that haven't been accessed a lab VM for a period of time

Question

So let me preface this by saying that I'm still a newbie to Azure, an don't know much PowerShell (yet).

I've started working tech support for an IT training company who uses Azure Labs for training VMs, and one of our regular tasks is to go through the labs and remove users who are no longer using a VM, otherwise the lab slots fill up, eventually locking out new users.

However, to do this currently, we have to cross reference users emails in Labs backend to our LMS, to see when a user last accessed a course, which is an incredibly manual and tedious process, as there's no way to see when a VM was last accessed in Labs directly, let alone easily check every VM/user in bulk.

I thought surely this is a common enough occurrence that this is a solved problem, but I've been searching for an answer for the last couple of days, and nothing. I don't know if I'm missing something, or if my company has things setup wrong, or if what I'm asking is simply not possible for some reason?

Answer 1

Before I answer the PowerShell question directly, let me call out a few things. The Azure Lab Services Teams integration automatically syncs the Teams group to the user list. With Azure Lab Services April 2022 Update (preview), there is Canvas LMS integration which will sync the course roster with the lab user list. If your not using one of these LMS, which I'm assuming is the case, then you still need to manually sync the user list if you want to keep using the same lab.

The other thing I wanted to note, was possible workflows using Azure Lab Services. It sounds like your company is using the same lab and just adds or removes users from session to session. Another possible workflow that I've seen used by training companies using Azure Lab Services is to create a new lab for every session and then delete it when the session is over. The template image for a lab can be re-used if the lab account has an attached Azure Compute Gallery and the template image has been saved to the gallery.

Okay, now let's get into PowerShell commands in case none of the previous workflows meets your company's requirements. I'm guessing you want to automate to following steps:

1. Get user information for the labs
2. Take information from #1 and create to-be-removed user information list.
3. Remove all users from list in #2.

The PowerShell is different depending on which version of Azure Lab Services you are using. Let me start with the GA'ed version of the service (pre-April 2022 Update). This using the Az.LabServices available from GitHub, not the built-in version. The PowerShell code for #1 would look something like the following:

#1. Get all users in all labs for the subscription
$userList = @(Get-AzLabAccount | Get-AzLab | Get-AzLabUser | Select-Object -Property LabAccountName,LabName,Name,@{N="Email";E={$_.properties.email}}} ) 

#2. Create '$toDeleteUserList'
#TODO: Add logic to match userList information with list of student emails that need to be removed
$toDeleteUserList = @() 

#3. Remove Users
$toDeleteUserList | ForEach-Object {Get-AzLabAccount -LabAccountName $_.LabAccountName | Get-AzLab -LabName $_.LabName | Remove-AzLabUser -User @{"name"=$_.name} }

If your using the April 2022 Update (preview), then you'll be using the built-in module. (Import-Module Az.LabServices). The code changes to:

#1. Get all users in all labs for the subscription
$userList = @(Get-AzLabServicesLabPlan | Get-AzLabServicesLab | Get-AzLabServicesUser | Select -Property Id, Email) 

#2. Create '$toDeleteUserList'
#TODO: Add logic to match userList information with list of student emails that need to be removed
$toDeleteUserList = @() 

#3. Remove Users
$toDeleteUserList | ForEach-Object { Remove-AzLabServicesUser -ResourceId $_.Id}

Hope that helps, Elizabeth