I’ve recently setup Azure Bastion to give external users/vendors access to resources via RDP or SSH following these instructions:
The key permissions outlined in the prerequisites at point 3 are:
- A virtual network.
- A Windows virtual machine in the virtual network.
- The following required roles:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Azure Bastion resource.
- Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:
- Inbound ports: RDP (3389)
My scenario is to invite a guest AAD account, add them to a group and grant the group access as per below:
- Grant Contributor role to the resource group that has the VM’s for the application.
- Grant Reader role to the resource group that has the Bastion host.
This way the guest user logs into the Azure Portal complying with our conditional access policy and then they are presented with only the resources they have read or higher access too. In this scenario that is the two resource groups outlined above.
The guest user locates the virtual machine they wish to connect and then chooses Connect > Bastion > Use Bastion the following error message is presented.
“Unable to query Bastion data”
Initially working with Microsoft support we found that granting reader access at the subscription level gave the user permission to in-act the Bastion service, which simply give a username and password input.
These permissions were too lacks as a workaround and exposed a lot of production data to accounts that didn’t really have any business looking at it.
[12/11/2020] The case is on-going inside Microsoft and I will leave a definitive response when I get the information. I’ve done some further investigation what would be the least amount of additional ‘Reader‘ permissions are required. I’ve found the following permissions are required in my scenario:
- Reader permissions on the Virtual Network that has the ‘AzureBastionSubnet‘ subnet.
- Reader permissions on the Virtual Network that has the connected virtual machine network interface.
In my scenario, the virtual machines are located in a development Virtual Network that is peered with the production Virtual Network which has the subnet ‘AzureBastionHost‘. So I had two sets of permissions to add. After applying the permissions you may need to get a coffee and return to the portal as it took 5-10 minutes to kick in for me.
Hope this helps someone that has done some googling but is still scratching their head with this error message.