Allow VM SSO with Azure AD & Bastion Host
I'm not sure why the bastion as a service does not support Azure AD login for VM's which are Azure AD joined.
I would hope to see, VM's which are Azure AD joined, and use Bastion as a Service to simply use SSO to connect to the VM.
When authenticated users go to connect, instead of being prompted for a password, it should simply see which account they are logged into Azure with, and automatically sign them into the VM (provided IAM allows) when they attempt to connect through Bastion.
This would allow much easier authentication (especially when dealing with 3rd parties who require VM usage and have AAD accounts in our tenant).
The situation right now:
- Accounts with MFA are not supported (why???)
- Bastion as a Service does not support Azure AD login (again.. why?)
- A VM which is configured for AAD login, requires that the source machine initiating an RDP connection must be Azure AD joined to the same tenant.
This situation is not friendly to large enterprises which utilise numerous 3rd parties.
- Bastion as a Service supports AAD login, and utilises SSO from portal.azure.com to establish remote desktop in the browser (no login prompt). Virtual Machine User/ Administrator IAM groups would authenticate this.
- When SSO is not used, MFA should (definitely should) be supported. This is a given, and I still don't understand why it's not supported. This is a major security oversight, as you're currently encouraging Ops teams to disable MFA to allow Azure AD login.
I'm not asking for much... A simple SSO integration and support for MFA for non-SSO connections.