Azure Active Directory Credentials used with Bastion

Question

Azure Active Directory Credentials used with Bastion

James De Ath 21

From the documentation, its clear that currently Azure Active Directory Credentials can't be used to log into the VM with Bastion. Would love to replace RDP with Bastion, but can't really implement this until AAD credentials is enabled.

Will this feature be enabled relatively soon?

Accepted answer

0 additional answers

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @James De Ath ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to use Azure Active Directory Credentials to log into a VM via Bastion.

I would like to inform you that this feature is already available. With the new Azure Bastion native client support, available with Standard SKU, you can now:

Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local machine.
Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials.
Access the features available with your chosen native client (ex: file transfer).

Refer : https://azure.microsoft.com/en-in/updates/general-availability-azure-bastion-native-client-support/

The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD).
Refer : https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows

NOTE : This configuration requires the Standard SKU tier for Azure Bastion.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

James De Ath 21 Reputation points

2022-07-22T08:21:25.843+00:00

Thank you, I have seen this previously. However, not sure it'll be the best solution to replace our current method. In order for the native client to work, you need to open RDP or a custom port on your VMs. A large part of Bastion was that it was a secure service, but leaving the RDP open doesn't solve this?

To get around this, would you add the Azure Bastion Subnet IP address range in an NSG rule to allow only Bastion to be able to open the port on the target VMs in your target VM subnet. Or is this still not secure?
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-07-25T14:30:31.417+00:00

Hello @James De Ath ,

Thank you for your response.

Please allow me sometime to discuss this with the Azure Bastion backend team and get back to you with further updates.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-08-01T17:54:50.8+00:00

Hello @James De Ath ,

You can follow the NSG guideline as published here:
https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

Azure Bastion backend team confirmed that the native client traffic goes via the Bastion, so any NSG configured on the Bastion will be enforced. You can also restrict management traffic ( SSH and RDP ) traffic by adding Azure Bastion subnet range to the VM NSG.

Adding the Azure Bastion Subnet IP address range in the NSG rule of VM will allow only Bastion to be able to open these ports on the target VMs in your target VM subnet and it is secure.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Share via

Azure Active Directory Credentials used with Bastion

0 additional answers

Your answer