Guest User Access to Bastion

Occasional Visitor

Hello all


I am looking to use one or more Azure VMs as a jump box for Azure AD external identities, with access through Bastion.  I was given confidence in taking this path when I saw on the Bastion FAQs the question and answer:

"Does Bastion support Azure AD guest accounts?

Yes, Azure AD guest accounts can be granted access to Bastion and can connect to virtual machines."


However I am finding it extremely hard to get working in practice, either with direct RDP to a public IP or via Bastion.  In particular, I have noticed a note in the documentation for allowing Azure AD credentials to sign in to an Azure VM:

"Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM."


Which suggests very strongly that the end user device needs to be joined to the same Azure AD directory as the VM to which you are connecting.  Whilst I suppose that a Guest user could in theory have a device joined to the AAD tenant that they are a Guest in, I think it's a highly unlikely scenario and certainly not the case with what we're looking to do.


Has anyone had success in allowing Guest users to log in to an Azure VM via Bastion?  Particularly using a device that's not in the same directory as the VM.



0 Replies