Add support for running Azure Cloud Shell in secure Azure subscription
I'm working in a subscription where I only give users the minimum permissions that are necessary. I would like these users to have access to Azure Cloud Shell, but I want to have it pre-configured for them before they even try. For this, I need the following:
1. An API (and ideally one or more PowerShell cmdlets) that allows for the initial configuration of Cloud Shell to be done automatically for a user before they even try to access Cloud Shell. This would create the resource group if it did not already exist in the subscription, create the storage account, tag it with "ms-resource-usage:azure-cloud-shell", create the file share for the user in that storage account, and give the user access to nothing other than what is required to launch the Cloud Shell and mount the file share.
2. Ensure that the user cannot see or modify the resource group or storage account containing the file share -- they should have access to nothing other than the shell and the permissions to mount the file share so that it can be properly mounted every time.
3. Don't even show the Cloud Shell icon in the list of icons in Azure unless the user has access to create the cloud shell in the first place. There is no point whatsoever in presenting a feature that is broken to a user.
This will allow an administrator like myself to pre-configure the environment for users who need access to it. This allows me to tighten security while still supporting delegation over resources in Microsoft Azure and allowing users to manage the resources that have been delegated to them via the command line in Azure Cloud Shell with bash or PowerShell.