Bastion only Custom Role based access

Razzi29 331 Reputation points
2024-01-02T19:14:25.9666667+00:00

There is a requirement to allow RDP access to a limited set of VMs on Azure; we use Bastion for admins; but for these particular users I ONLY want to give them the ability to use Bastion on the portal and then RDP to the servers. My question is; which are the minimal permissions I can assign to a Custom Role to allow Bastion access only and nothing else? Once the Custom Role is configured, can I apply to a resource group or do I need to individually apply to vNets?

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
247 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,268 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
820 questions
Accepted answer
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2024-01-02T20:37:27.5066667+00:00

    Helo @Razzi29

    To assign the least you need is :

    Reader Role on the VM: The user needs to have at least Reader permissions on the virtual machine (VM) they are accessing.

Reader Role on the NIC: Similar permissions on the Network Interface Card (NIC) associated with the VM.

Bastion Service Reader Role: To use Azure Bastion, the user also needs to have Reader permissions on the Bastion service itself.

    Aftr you create the Role you can assign it on Subscription Level , Resource Group or specific resources

    If the grouping is done by Resource Group i suggest that approach

    usually it is better to assign it to a Root resource , or directly on the VMs , i would not try to do that on VNETs, you need either to inherit the role or get it directly on the VM

    https://video2.skills-academy.com/en-us/azure/role-based-access-control/role-assignments-steps

    Here is a great LINK:

    https://wmatthyssen.com/2022/07/12/azure-bastion-set-the-minimum-required-roles-to-access-a-virtual-machine/

    I hope this helps!

    Kindly mark the answer as Accepted and Upvote in case it helped!

    Regards

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest