Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Support for Certificate Based Authentication with Azure Bastion?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.999999999999996%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ3%3C/text%3E%3C/svg%3E)
JohnSebastian-3934
581
Reputation points
First question:
Are there any plans on supporting Certificate Based Authentication with Azure Bastion?
Currently certificates to not work to authenticate on a host, only username/password.
Federal NIST Controls are requiring Phishing Resistant device authentication and I need to explain to my Cyber Team why I cannot do that with Azure Bastion service when connecting to a host.
Second question:
Are there any plans to support connecting to Entra ID joined VMs with the Azure Bastion service? I have two Entra ID joined Windows VMs. In order to connect to them, I have to actually RDP from another host after logging into Azure with the az login command first. This is a nightmare. Why wouldn't connecting to Entra ID joined hosts using the Bastion service be one of the first requirements to support?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator2025-11-26T17:01:36.1733333+00:00 Hello JohnSebastian-3934
Following up to see if the above provided resolution was helpful. If you have any further queries do let us know.
-
JohnSebastian-3934 581 Reputation points
2025-11-26T17:04:41.5+00:00 Looks like the original answer was deleted for some violation of Code of Conduct. Not sure why since it was informative. So no I don't now have an answer because I didn't save what was written
-
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator
2025-11-26T17:12:01.05+00:00 We may have selected the wrong option by mistake. We’ll take care of it—please don’t worry. Thank you for the update
-
JohnSebastian-3934 581 Reputation points
2025-12-01T20:52:59.9333333+00:00 So can someone answer my original question? There was a response and then it was deleted by someone.
-
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator
2025-12-02T09:27:19.1033333+00:00 Hello JohnSebastian-3934
Thank you for your reply. Below is the response that was removed by mistake. Please have a look.
Currently, Azure Bastion does not support Certificate Based Authentication for connecting to hosts. Users can only authenticate using username and password. This limitation may pose challenges for organizations that require phishing-resistant device authentication, such as those adhering to Federal NIST Controls. Unfortunately, there are no announced plans to implement Certificate Based Authentication with Azure Bastion at this time.
Regarding the connection to Entra ID joined VMs, Azure Bastion does support connections to Entra ID extension-joined VMs. However, it does not yet support RDP connections to VMs that are joined to Microsoft Entra ID directly through the portal. Users must still use an intermediate method, such as logging in via the Azure CLI, to connect to these VMs. This functionality is expected to evolve, but specific timelines for updates have not been provided in the current documentation.
References:
-
Shubham Sharma 17,675 Reputation points Microsoft External Staff Moderator
2025-12-03T11:24:28.44+00:00 Hello JohnSebastian-3934
Please let us know if you need any further assistance.
Sign in to comment
Answer accepted by question author
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more