Unable to login to Azure Bastion

Question

Hi,

We get this error when trying to login to our VM's using a RDP log in process. We are using our azure bastion through the azure interface:

"The target machine has denied access to this connection. If you require access, please grant access to your account on the target machine, or check your system settings"

Troubleshooting steps:

• We restarted a number of VM's to ensure it would reset any user logins or tied up resources
• When we upgraded our ski tier from basic to standard it started to work again and allowed users to login again

Is the standard tier required for basic RDP access as it worked before we upgraded? We didn't change any permissions and once we upgraded the ski it started to work so wanted to check what changed?

Kind regards,

Paul

Answer 1

Hello Paul McQuaid

We want to update you about the RDP login issue encountered when accessing Azure virtual machines through Azure Bastion, where users saw the message “The target machine has denied access to this connection.” Our investigation found that the problem was not caused by VM user permissions or RDP settings. No changes were made to access rights or login policies. The issue was due to Azure Bastion SKU capacity limits.

The Basic SKU has a fixed backend capacity of two instances, supporting about 40 concurrent RDP sessions. Once this limit is reached, new connections are denied, which causes the access-denied message. Microsoft documentation confirms that the Basic SKU cannot scale beyond this limit. 

After upgrading to the Standard SKU, connectivity was restored because the Standard SKU allows scaling from 2 up to 50 instances, with each instance supporting up to 20 concurrent RDP sessions.

This upgrade removed the concurrency bottleneck, enabling successful logins without further configuration changes. 

To clarify, the Standard SKU is not required for basic RDP access; both Basic and Standard SKUs support portal-based RDP access.

However, the Basic SKU is best for small environments with low concurrent access needs, while the Standard SKU is recommended for production environments with higher usage, as it offers scalability and better session handling. 

For more information, please refer to the Microsoft documentation below:https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-rdp-windows?tabs=portal#prerequisites

https://learn.microsoft.com/en-us/azure/bastion/upgrade-sku?tabs=portal

https://docs.azure.cn/en-us/bastion/bastion-sku-comparison

---

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

Answer 2

Hi @ Paul McQuaid,

Welcome to Microsoft Q&A Platform

No, the Standard SKU is not required for basic RDP access via Azure Bastion.

As per the documentation:

Basic SKU supports RDP access through the Azure portal (browser) using the default port 3389, with no additional configuration required.

• Standard SKU is only required when you need advanced features such as:
• Custom ports
• Native client (RDP) support
• IP-based connections
  

If RDP started working after upgrading to Standard, it likely indicates that one of the following was required in your scenario:

You were attempting to use native RDP client (mstsc) instead of browser-based access

A custom port or additional configuration was involved

• There was a temporary issue that got resolved during the upgrade/redeployment

"The target machine has denied access to this connection. If you require access, please grant access to your account on the target machine, or check your system settings"

This error typically indicates an issue inside the virtual machine or with authentication, rather than a Bastion SKU limitation.

Why it may have started working after upgrading the SKU

Upgrading from Basic to Standard may have refreshed or redeployed the Bastion host infrastructure. This could temporarily resolve issues such as:

• Stale Bastion sessions
• Network or tunnel connectivity issues
• Bastion host service refresh during the SKU change

However, the SKU upgrade itself does not change VM login permissions or RDP access behavior.

Since the error indicates the VM denied access, please check the below settings

1. Local or domain user permissions: Ensure the account used for login is part of the Remote Desktop Users group or Administrators group.

Inside the VM:

Computer Management → Local Users and Groups → Groups → Remote Desktop Users

2. RDP access is enabled: Verify the VM allows remote desktop connections:

System → Remote Desktop → Allow remote connections

3. Network security rules: Ensure that no NSG rules or Windows firewall rules block RDP access internally.

Note: When using Bastion, the VM does not require port 3389 open to the internet, but the VM must still allow RDP internally.

4. Azure VM access extensions: If you are using Azure AD login for Windows, confirm that the extension is installed and the user has the required RBAC roles:

• Virtual Machine User Login
• Virtual Machine Administrator Login

Ref: Sign in to Windows virtual machine in Azure using Microsoft Entra ID and Azure Roles Based Access Control

If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.