How-To Grant Access to Azure Virtual Machines via Bastion

Have you ever used the feature Azure Bastion to access a VM? Have you ever needed to grant someone access to Bastion but want to limit their access? In this post I will show you how to set the minimum access. Enough of that, lets get into it!

In this scenario I have created a basic user for the portal logon and as you can see they have no access to any VM’s

In order to get this process to work the user needs “Reader” access at a minimum in order to use Bastion.
The following IAM RBAC rules need to be on the following resources

Reader on the VMNIC for the VM
Reader on the VM
Reader on the Bastion Resource itself

Step one lets give them access to the VM. With a user that has the appropriate access logon and open up the VM. Click on Access Control (IAM)



Click On Role Assignments

Click On Add, then Add Role Assignment

Fill out the Role Assignment
Role will be Reader
Leave the second box as is
Third box select either user or Group ( Preferred Group )
Click Save when Done

Now lets log back onto the portal as our Bastion User and lets see what has changed. As you can see, we now have the VM that we want to provide access. Click on the VM and lets try to access Bastion

At this point you will notice that you can click on Bastion but you are not provided the logon box. Lets Fix that.

In order to resolve this issue we need to add Reader Access to the Bastion Resource. Open up the Resource Group that has the Bastion Resource. Click on the Bastion Resource. Click on Access Control (IAM)

Click on Add, Add Role Assignment

Fill out just as in the first step
Role will be Reader
Leave the second box as is
Third box select either user or Group ( Preferred Group )
Click Save when Done

At this point you still will not have access. You will need to do the final step of adding the Reader Access to the VNIC.

Using the admin account log back onto the portal and click on Virtual Machines from the blade. Click on the VM from the blade. Networking then the VNIC

Click on Access Control (IAM) from the blade

Click on Add, then Add Role Assignments

Filling out this Assignment just like the last one.
Role will be Reader
Leave the second box as is
Third box select either user or Group ( Preferred Group )
Click Save when Done

Try to access Bastion again. As you can see you now have access

Now you have given a basic user access to a VM through Bastion. I hope this helps you out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s