Azure policy definition to allow the access to a VM via Bastion only for users of a specific user group

Question

I have a VM which can be accessed via bastion. I want to write a policy definition to deny the access if the user is NOT a member of a specific user group. I started with the following part, but not sure how to continue with the user and user group part in the definition.

{
      "mode": "All",
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.Network/bastionHosts"
            },
            {
              "field": "name",
              "in": [
                "test-vm-bastion"
              ]
            }
          ]
        },
        "then": {
          "effect": "deny"
        }
      },
      "parameters": {}
    }

I need to correct/complete the definition for the given purpos mentioned up.

Answer 1

To allow the access to a VM via Bastion only for users of a specific user group.

Azure Policy does not directly evaluate user or group membership for access control, Instead, you can use Azure RBAC to restrict to connections to VM via Bastion

Create a custom RBAC role with below permissions.

• Reader role on the Azure virtual machine.
• Reader role on the NIC of the Azure virtual machine.
• Reader role on the Azure Bastion resource.
• Virtual Machine Administrator Login or Virtual Machine User Login role, if you’re using the Azure AD sign-in method.

Go to Resource Group Where your VM resides > Access control (IAM) > Add > Create a custom role

You can use the following JSON code to create a custom role that allows connection to a VM via Bastion. Simply add the code in the JSON section when creating a custom role.

{
    "properties": {
        "roleName": "Bastion Connect role",
        "description": "This role will only be able to connect to the VM if Microsoft Enterprise Login is enabled on the Azure VM.",
        "assignableScopes": [
            "/subscriptions/b83c1ed3-c5b6-44fb-b5ba-2b83a074c23f/resourceGroups/v-venkal-Mindtree"
        ],
        "permissions": [
            {
                "actions": [
                     "*/read",
                    "Microsoft.HybridConnectivity/endpoints/listCredentials/action"
                ],
                "notActions": [],
                "dataActions": [
                    "Microsoft.Compute/virtualMachines/login/action",
                    "Microsoft.Compute/virtualMachines/loginAsAdmin/action",
                    "Microsoft.HybridCompute/machines/login/action",
                    "Microsoft.HybridCompute/machines/loginAsAdmin/action"
                ],
                "notDataActions": []
            }
        ]
    }
}

Once you create a Custom Role, you can assign it to an Azure AD Group at the VM level by navigating to below steps.

Go to your Azure VM > Access control (IAM) > Add > Access control (IAM) > Add role assignment

After assigning the custom role to an Azure AD group, only the members of that group will be able to access the VM through Bastion.

Reference: Connect to a VM using Bastion

Required roles to connect to the VM