Guest User Access to Bastion

New Contributor

Hello all


I am looking to use one or more Azure VMs as a jump box for Azure AD external identities, with access through Bastion.  I was given confidence in taking this path when I saw on the Bastion FAQs the question and answer:

"Does Bastion support Azure AD guest accounts?

Yes, Azure AD guest accounts can be granted access to Bastion and can connect to virtual machines."


However I am finding it extremely hard to get working in practice, either with direct RDP to a public IP or via Bastion.  In particular, I have noticed a note in the documentation for allowing Azure AD credentials to sign in to an Azure VM:

"Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM."


Which suggests very strongly that the end user device needs to be joined to the same Azure AD directory as the VM to which you are connecting.  Whilst I suppose that a Guest user could in theory have a device joined to the AAD tenant that they are a Guest in, I think it's a highly unlikely scenario and certainly not the case with what we're looking to do.


Has anyone had success in allowing Guest users to log in to an Azure VM via Bastion?  Particularly using a device that's not in the same directory as the VM.



2 Replies
best response confirmed by Nesral (New Contributor)
I think what is supported is AuthN to Azure portal with access to Bastion with guest account and then to use native/local account to login to system. Then access can be audited from diag and audit logs of Bastion what accounts were used to portal and system access. Any one who was able to login with guest account to system directly?

@Yordan Dimov thank you.  After some more experimentation, I've come to same conclusion - it's quite possible to authenticate to Azure Portal/Bastion using a guest account, but you then have to use a local account, AD/AADDS or AAD full member account to authenticate against the OS of the VM.


Hopefully this is something Microsoft will change in the future, as there are similar limitations in Azure Virtual Desktops and Windows 365.