@David Walker Welcome to Microsoft Q&A, Thank you for posting your here!!
Ideally Virtua Machine contributor role can perform all the operations mentioned in this document
i.e. Create and Manage Virtual Machine and users will able to view the VM's in the Azure portal. However, the user cannot connect using Bastion host.
In order to make a connection, the following roles are required:
Reader role on the virtual machine
Reader role on the NIC with private IP of the virtual machine
Reader role on the Azure Bastion resource
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
-------------------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.