This document covers the permissions necessary to enable a user to access an Azure VM via Azure Bastion.

All permissions are granted via the Azure Portal, The user access is being granted to must have an account in the Azure AD tenant for the subscription the VM is in. They can be a guest user.

Bastion

1. Select the Bastions resource

2. Select the Bastion the VM uses

3. Select Access control (IAM)

4. Add

5. Add role assignment

   1. Role - Reader

   2. Assign access to - Azure AD user, group, or service principal

   3. Select - the user or group

   4. Save

Virtual Machine

1. Select the Virtual machines resource

2. Select the VM you want to grant access to

3. Select Access control (IAM)

4. Add

5. Add role assignment

   1. Role - Virtual Machine User Login

   2. Assign access to - Azure AD user, group, or service principal

   3. Select - the user or group

   4. Save

Virtual Machine NIC

1. Select the Virtual machines resource

2. Select the VM you want to grant access to

3. Select Networking

4. Select the "Network interface:"

5. Select Access control (IAM)

6. Add

7. Add role assignment

   1. Role - Reader

   2. Assign access to - Azure AD user, group, or service principal

   3. Select - the user or group

   4. Save