I’ve just configured the VMM 2008 web based portal. It was pretty easy. The idea is that you give people a web interface that allows them to manage VM’s, their properties and "KVM" access to them via the web site. If you provide templates and VHD’s in your library (as well has prepared disk for your cluster) you can allow users to build their own VM’s. To be honest, this would be impossible to control without a cluster file system – what’s to stop a user taking a 1TB LUN for a 100GB VHD? You also are going to have trouble with restricting control over VLAN tags. You can control VM resource consumption by using a points system, e.g. assign a score to a VM template and deduct it from a user’s point allocation as they deploy machines.
However, if you restrict full access to administrators and allow KVM/power control access to VM owners then you’ve got a nice solution. You’ll want to do some clever group management and permissioning.
You’ll need an AD group for "VMM Administrators". Put your VMM administrator accounts/groups into that group. For every customer there will be a group, e.g. "Cust-Group". They will also have a user called "Cust-User". Cust-User and VMM-Administrators are members of Cust-Group.
Create a folder/group in the VMM console to put that customer’s VM’s into called "Cust". When a VM is set up for them assign the owner of the machine as "Cust-Group".
Set up a self service role called "Cust-Self" service and add Cust-Group to that role. Give it the scope required, i.e. the VMM folder/group called Cust. Give the role the required permissions over the VM’s in that group, e.g. start, stop, pause & resume, remote connection and shutdown.
Now configure the portal with SSL access (simple IIS7 operation) and share the URL. The user will log in using domainCust-User. Their console will load an only show their VM’s. They will only be able to do the actions you assigned to them.