Control for configuration on Azure Bastion to remain unchanged

Banerjee, Somdutta 141 Reputation points

Is there a way to ensure that the configuration on Azure Bastion remains unchanged ( specifically the enable support for native client option)? - Resource locks may be used but Can a custom azure policy be created for this?

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
243 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 23,421 Reputation points Microsoft Employee

    Hello @Banerjee, Somdutta ,

    Based on your follow-up question above.

    If someone with contributor/owner roles makes a configuration change -can we prevent it or do we have any mechanism to alert on it.

    I do not think there is a way to prevent this, but you can set alerts based on the Activity logs of your Bastion.

    You can refer to this documentation setting up these alerts. I tried setting up sample alert for my Bastion resource and followed below mentioned steps.

    From the activity logs I selected the Create or Update a Bastion Host category. (You can select the categories based on your requirements)


    You can click on the specified category and then create an alert for the same.


    You can specify the conditions/ actions for these alerts like who will receive these alerts etc.


    Below is the Sample alert I received after I updated the config of the testvnet-Bastion resource.


    Hope this helps. Please let me know if you have any questions. Thank you!

    Additional references:

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,421 Reputation points Microsoft Employee

    Hello @Banerjee, Somdutta , Thank you for reaching out.

    Azure Bastion is integrated with Azure role-based access control (RBAC) to manage its resources. Azure RBAC allows you to manage Azure resource access through role assignments. For example, a user only requires following role assignments to access a virtual machine via Bastion service.

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
    • Reader role on the Azure Bastion resource.
    • Reader Role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).

    If a user has reader role, they can only view the resources and not edit them. Anyone with contributor and owner roles can edit the resources. These are all built-in roles in Azure and you can also set-up custom roles as per your requirement.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    0 comments No comments