Explore how Azure Bastion, in combination with Microsoft Entra PIM, secures VM access by eliminating public IPs and enforcing time-based, approved access within a Zero Trust framework.
Introduction
With cybersecurity attacks becoming more common in today’s digital landscape, customers are increasingly focused on securing their cloud environments. A key area of concern is how to protect virtual machine workloads—especially those handling sensitive customer data. Effective protection requires more than just network-level security; it also means ensuring that even authorized users are granted access to VMs only within strictly controlled, pre-approved time windows. In this blog, we’ll explore how Azure Bastion and Microsoft Entra Privileged Identity Management (PIM) help customers adopt a Zero Trust approach to VM access by addressing both network exposure and strict access control.
How to Secure Your VM workloads with Azure Bastion
Azure Bastion is a fully managed jumpbox-as-a-service that enables secure and seamless RDP and SSH connectivity to your virtual machines—without exposing their public IP addresses. With seamless integrations into Microsoft Entra ID and Microsoft Entra Privileged Identity Management (PIM), Azure Bastion strengthens your security posture and simplifies identity-based access controls. To ensure secure, compliant, and streamlined access to your VMs, using Bastion is the best practice for all virtual machine deployments.
Azure Bastion seamlessly integrates with Microsoft Entra ID authentication, enhancing VM sign-in security by eliminating the need for local credentials. Bastion Standard or Premium allows users to connect via native clients using Entra ID authentication. This feature is available for SSH connections in the portal, enabling a secure, one-click experience for Linux VMs.
While Azure Bastion secures the connection between users and virtual machines, a key access management challenge remains preventing even Entra ID–authenticated users from maintaining persistent, always-on access to sensitive VMs. Role-based Just-In-Time (JIT) access helps solve this by ensuring that access is granted only when necessary and only with explicit approval. By integrating Azure Bastion with Microsoft Entra Privileged Identity Management (PIM), organizations can implement time-bound, approval-based access controls. This enforces a Zero Trust approach where virtual machines remain inaccessible by default and access is only activated through administrator-approved requests.
Enforcing Zero-Trust Access via Microsoft Entra PIM
Microsoft Entra PIM facilitates just-in-time access based on approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on Azure
or other Microsoft Online Services. To help facilitate a zero-trust approach, users that must carry out privileged operations can be given just-in-time privilege access to access
Azure resources.
Better Together
To access a virtual machine via Azure Bastion, a few roles are needed:
|
Capabilities |
IAM Needed |
|
Connect to a Bastion |
Reader role on the Bastion Reader role on the target VM |
|
Logging in via Microsoft Entra ID authentication for virtual machine |
Virtual Machine Administrator Login role on the virtual machine OR Virtual Machine User Login role on the virtual machine |
In the Azure portal, under the Privileged Identity Management resource, there are two Assignment Types that a user may have:
- Eligible assignments require the member of the role to perform an action to use the role. Actions might include performing a multifactor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers.
- Active assignments don't require the member to perform any action to use the role. Members assigned as active always have the privileges assigned to the role.
Let’s explore how combining these two services supports a zero-trust approach to VM access.
Example Customer Use Case
Under the company Contoso, user Adam would like to access a virtual machine to do monthly patching work. Adam’s manager, Jane, is the administrator of the subscription and approves/denies all access to the virtual machines. Jane has set up access to the virtual machines in her subscription in a way that everyone who needs to use the virtual machine has “Eligible” access to it. Additionally, she has set up a network security rule that blocks all inbound traffic to their VMs except from Bastion. This way, it ensures a Zero-Trust approach, not only protecting the VMs from network-level attacks, but also limiting access to the VM on a “as-necessary” basis.
|
User |
Roles |
Role Status |
|
Adam |
Reader role on the Bastion |
Active |
|
Reader role on the virtual machine |
Eligible | |
|
Virtual Machine User Login role on the virtual machine |
Eligible | |
|
Reader role on the virtual machine NIC |
Active | |
|
Reader role on the virtual network that houses the VM and the Bastion |
Active |
Since Adam only has Eligible access to the virtual machine, the resource is not visible in the portal. To gain access to the virtual machine, Adam goes to Privileged Identity Management resource in the portal and under Azure roles, he selects “Eligible assignments” and clicks on the role that he would like to activate.
Once Jane approves the request, Adam will gain access to the virtual machine for the next X hours. Azure Bastion acts as a secure gateway between Adam and the VM, eliminating the need for a public IP on the VM. Instead, Adam connects through Bastion’s public IP and is authenticated using his Microsoft Entra ID credentials. If session recording is enabled on Bastion, all of Adam’s activity within the VM is graphically captured and stored in a designated storage account container. These recordings can be reviewed at any time via the Bastion resource blade. When the JIT (Just-In-Time) access window expires, Adam's access is automatically revoked, returning the VM to a zero-access state.
Conclusion
Azure Bastion eliminates the need for public IP addresses on virtual machines, significantly reducing their exposure to the internet. It integrates seamlessly with Entra ID, allowing users to authenticate directly to VMs without relying on local credentials. When combined with Just-In-Time (JIT) access through Microsoft Entra Privileged Identity Management (PIM), Bastion adds an extra layer of security—ensuring that even authorized users can only connect to VMs during approved time windows. This layered approach not only simplifies secure connectivity but also reinforces a strong Zero Trust access model.
Updated Apr 18, 2025
Version 1.0
aarontsang
Microsoft
Microsoft