Operating Azure Bastion

Kathy Kim 21 Reputation points Microsoft Employee

Bastion Best practice guidance on below:

  1. How to log usage & security
  2. How to manage Global admin application
    The security recommendation is to limit Global Administrators, however there is a lot of functionality where the only option currently is to grant the support engineer Global admin role. What is the recommendation on how to manage/implement this?
    Example, authentication method/custom password block list.
  3. How to apply Azure roles to sec groups from AD on prem
    Current work around is to create AAD group with this option applied, and then add this group as member of AD on-prem group.
Azure FastTrack
Azure FastTrack
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.FastTrack: This tag is no longer in use. Please use 'Azure Startups' instead.
75 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ravi Bakamwar 11 Reputation points

    Hi Kathy,

    1) Azure Bastion has various metrics that are available by default.
    Additionally, Diagnostics logging can be enable for audit logs and have the data sent to things like Storage Account/Log workspace. https://learn.microsoft.com/en-us/azure/bastion/diagnostic-logs

    2) Azure AD PIM feature which allows just-in-time/time bound privileged role management could potentially help.
    (This feature requires AAD P2 License)

    3) Azure roles can be assigned to on-prem AD (Synced to AAD) Groups. If you mean "Azure AD Roles", those cant be assigned to AD Groups, only to AAD Groups as you mentioned (and I dont think it allows on-prem AD Group as a member of such group enabled for role assignment). As per this announcement which is an year old, we will add the feature in the future.

    1 person found this answer helpful.
    0 comments No comments