Jan 15 2023 01:22 AM
Hello all
I am looking to use one or more Azure VMs as a jump box for Azure AD external identities, with access through Bastion. I was given confidence in taking this path when I saw on the Bastion FAQs the question and answer:
Yes, Azure AD guest accounts can be granted access to Bastion and can connect to virtual machines."
However I am finding it extremely hard to get working in practice, either with direct RDP to a public IP or via Bastion. In particular, I have noticed a note in the documentation for allowing Azure AD credentials to sign in to an Azure VM:
"Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are either Azure AD registered (minimum required build is 20H1) or Azure AD joined or hybrid Azure AD joined to the same directory as the VM."
Which suggests very strongly that the end user device needs to be joined to the same Azure AD directory as the VM to which you are connecting. Whilst I suppose that a Guest user could in theory have a device joined to the AAD tenant that they are a Guest in, I think it's a highly unlikely scenario and certainly not the case with what we're looking to do.
Has anyone had success in allowing Guest users to log in to an Azure VM via Bastion? Particularly using a device that's not in the same directory as the VM.
Thanks!
May 02 2023 04:46 AM
SolutionMay 02 2023 01:10 PM
@YSDimov_Live thank you. After some more experimentation, I've come to same conclusion - it's quite possible to authenticate to Azure Portal/Bastion using a guest account, but you then have to use a local account, AD/AADDS or AAD full member account to authenticate against the OS of the VM.
Hopefully this is something Microsoft will change in the future, as there are similar limitations in Azure Virtual Desktops and Windows 365.
May 02 2023 04:46 AM
Solution