This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 21%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Bastion Best practice guidance on below:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 21%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hi Kathy,
1) Azure Bastion has various metrics that are available by default.
https://learn.microsoft.com/en-us/azure/bastion/howto-metrics-monitor-alert#about-metrics
Additionally, Diagnostics logging can be enable for audit logs and have the data sent to things like Storage Account/Log workspace. https://learn.microsoft.com/en-us/azure/bastion/diagnostic-logs
2) Azure AD PIM feature which allows just-in-time/time bound privileged role management could potentially help.
(This feature requires AAD P2 License)
https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
3) Azure roles can be assigned to on-prem AD (Synced to AAD) Groups. If you mean "Azure AD Roles", those cant be assigned to AD Groups, only to AAD Groups as you mentioned (and I dont think it allows on-prem AD Group as a member of such group enabled for role assignment). As per this announcement which is an year old, we will add the feature in the future.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/assigning-groups-to-azure-ad-roles-is-now-in-public-preview/ba-p/1257372