Share via

Accessing Azure VM via Bastion (shared link) with AAD Users

Schäfer, Lukas 0 Reputation points
2024-05-08T13:48:47.3966667+00:00

Hello,

we set up our first Azure VM (win 11 multi-session).
We want to access the VM via a shared link (Bastion) and log in with AzureAD users.

I have created the shared link and access via local users works fine.
I can RDP to the VM with the Azure user "AzureAD<UPN>" but via the shared link that isn't working.

I need some help to get this working.

Thanks ahead!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,993 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
264 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dan Rios 1,990 Reputation points MVP
    2024-05-08T15:08:33.6633333+00:00

    Hi,

    The Entra users must have the 'Reader' role assigned to the Azure Bastion resource & 'Virtual machine User Login' on the virtual machine they wish to login to.

    Assuming the VM has been setup with the login with Entra option: https://learn.microsoft.com/en-us/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#azure-portal

    Best method will be to create an Entra security group, add in the members you wish. Then assign this security group Reader on the Azure Bastion resource or resource group. Then assign the group the virtual machine user login role on the resource group where the Win 11 VM resides.

    Good article by Wim explains more you can read here: https://wmatthyssen.com/2022/07/12/azure-bastion-set-the-minimum-required-roles-to-access-a-virtual-machine/

    Please mark as accepted answer if this solves your issue so others can benefit. Drop a comment if you need more help!

  2. innovation gadget 155 Reputation points
    2024-05-10T07:14:39.3866667+00:00

    Hello Schäfer, Lukas

    Here's how to troubleshoot RDP access to your Azure VM (Windows 11 Multi-Session) using a shared link (Bastion) with Azure Active Directory (Azure AD) users:

    1. Verify Azure AD User Permissions:

    • Reader Role on Bastion: Ensure the Azure AD users you're trying to access the VM with have the "Reader" role assigned to the Azure Bastion resource or the resource group where it resides. This grants them basic access to connect via Bastion.
    • Virtual Machine User Login Role: Additionally, users need the "Virtual Machine User Login" role assigned at the scope of the VM or the resource group where the VM resides. This allows them to log in to the specific VM using RDP.

    2. Check Security Group Rules:

    • Inbound RDP Rule: Verify that your VM's Network Security Group (NSG) has an inbound rule allowing RDP connections on port 3389 from the Bastion subnet. This is crucial for RDP traffic to reach the VM.

    3. Bastion Host Configuration:

    • RDP Protocol Enabled: Double-check that the RDP protocol is enabled within your Azure Bastion configuration.

    4. Local User Permissions (Optional):

    • Temporary Access: If you're still encountering issues, consider creating a temporary local user account on the VM with RDP access for testing purposes. This can help isolate whether the problem lies with Azure AD user permissions or the RDP configuration on the VM itself.

    Troubleshooting Steps:

    • Review Azure AD Permissions: Go to the Azure portal, navigate to your Bastion resource or resource group, and verify the assigned roles for the Azure AD users.
    • Check NSG Rules: Locate the NSG associated with your VM and ensure the inbound RDP rule is present and configured correctly.
    • Bastion Configuration: Review your Bastion configuration to confirm RDP protocol is enabled.
    • Test with Local User (Optional): Create a temporary local user on the VM and try RDP access through Bastion with that account.Here's how to troubleshoot RDP access to your Azure VM (Windows 11 Multi-Session) using a shared link (Bastion) with Azure Active Directory (Azure AD) users: 1. Verify Azure AD User Permissions:
      • Reader Role on Bastion: Ensure the Azure AD users you're trying to access the VM with have the "Reader" role assigned to the Azure Bastion resource or the resource group where it resides. This grants them basic access to connect via Bastion.
      • Virtual Machine User Login Role: Additionally, users need the "Virtual Machine User Login" role assigned at the scope of the VM or the resource group where the VM resides. This allows them to log in to the specific VM using RDP.
      2. Check Security Group Rules:
      • Inbound RDP Rule: Verify that your VM's Network Security Group (NSG) has an inbound rule allowing RDP connections on port 3389 from the Bastion subnet. This is crucial for RDP traffic to reach the VM.
      3. Bastion Host Configuration:
      • RDP Protocol Enabled: Double-check that the RDP protocol is enabled within your Azure Bastion configuration.
      4. Local User Permissions (Optional):
      • Temporary Access: If you're still encountering issues, consider creating a temporary local user account on the VM with RDP access for testing purposes. This can help isolate whether the problem lies with Azure AD user permissions or the RDP configuration on the VM itself.
      Troubleshooting Steps:
      • Review Azure AD Permissions: Go to the Azure portal, navigate to your Bastion resource or resource group, and verify the assigned roles for the Azure AD users.
      • Check NSG Rules: Locate the NSG associated with your VM and ensure the inbound RDP rule is present and configured correctly.
      • Bastion Configuration: Review your Bastion configuration to confirm RDP protocol is enabled.
      • Test with Local User (Optional): Create a temporary local user on the VM and try RDP access through Bastion with that account.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.