Haven only recently embraced Bastion as one of the best methods to allow secure access to VM’s, I’m still very much learning the basics. After finding out that the process to grant a user access to a Virtual Machine via Bastion wasn’t quite as straightforward as expected.
This short post will cover the exact steps required, I’ll also link off to the relevant learn materials encase anything changes down the line.
Read more: How to Grant Access to Azure VM’s using BastionGranting access
To grant access to a Virtual Machine for a user, the following roles are required –
- Reader role on the Virtual Machine
- Reader role on the VM NIC.
- Reader role on the VNet Containing the Virtual Machine
- Reader role on the Bastion resource.
- Virtual Machine Administrator or Virtual Machine User Login role on the Virtual Machine (if access is via Azure AD)
The process for granting this access is quite straightforward assuming you have Owner rights on the relevant resources –
- Navigate to the Azure portal and locate the Virtual Machine you want to grant access to.
- Access the Access control (IAM) pane then grant the Reader role to the user.
- Navigate to the containing Virtual Network, via the Overview pane of the VM – Virtual network/subnet.
- Navigate to the Access control (IAM) pane then assign the Reader role to the user.
- Navigate back to the VM and then the Networking pane, select the Network interface.
- Navigate to the Access control (IAM) pane then assign the Reader role to the user.
- Navigate to the Bastion pane on the Virtual Machine, select the Bastion name and then apply the Reader role to the user.
Be sure to check out the official documentation for the latest available information – Create an RDP connection to a Windows VM using Azure Bastion
Sysadmin Central 
Leave a comment