Blog Post

Azure Network Security Blog
2 MIN READ

Public Preview: Managed Identity support for graphical session recording

aarontsang's avatar
aarontsang
Icon for Microsoft rankMicrosoft
Apr 30, 2026

 

Overview

Azure Bastion provides secure RDP and SSH access to Azure virtual machines directly via the Azure portal or via the native SSH/RDP client already installed on your local computer. Today, we are introducing public preview for managed identity support for session recording, giving administrators a seamless, identity-based way to authenticate Bastion when writing recordings to a designated storage account.

 

Why Managed Identities?

With managed identity support, Bastion authenticates directly to your storage account using an Azure identity, no additional credentials to configure or manage. You can use either a system-assigned or user-assigned managed identity depending on your needs. Authentication is handled automatically through Microsoft Entra ID, which means setup is straightforward: enable the identity, assign a role, and point Bastion at your storage container. For organizations operating at scale across many Bastion deployments and regions, this identity-based approach removes the need to manage credentials, aligns with Zero Trust principles, and lets you control access centrally through Azure RBAC.

 

 

Getting Started in Azure Portal

Prerequisites

  • Ensure that Azure Bastion is deployed with the Premium SKU
  • Ensure that a storage account with a dedicated container for session recordings is created
  • Ensure that the storage account has the required CORS policy configured. Click here to set up the storage account for session recordings
  • Ensure that users who need to view recordings have the Storage Blob Data Reader role on the storage account

Steps

  1. Navigate to your Bastion resource in the Azure portal.
  2. Select Identity (Preview) in the left pane and turn the Status to On to enable a system-assigned managed identity. Wait for the configuration to complete.
  3. Select Azure role assignments, then select Add role assignment (Preview). Assign the Storage Blob Data Contributor role scoped to your storage account.
  4. Select Save, then navigate to the Configuration blade.
  5. Under Session Recording Configuration, select System Assigned Managed Identity and enter the Blob Container URI for your storage container.
  6. Navigate to the Session recordings blade to view and play back recorded sessions.

Next Steps

Learn more about configuring session recording with managed identities here and keep up to date with all things Azure Bastion in our What's New page.

Updated Apr 23, 2026
Version 1.0
azure bastion
azure network security
azure networking
updates
No CommentsBe the first to comment