Unable to Connect to Azure Bastion Host Due to Authorization Error

Question

Unable to Connect to Azure Bastion Host Due to Authorization Error

Daniel Izzudin Arshad 0

A solution is being published in Azure Marketplace that deploys a Virtual Machine and Azure Bastion into a consumer’s subscription.

Previously, the deployment was successful in the customer’s Dev subscription without explicit read access to the existing VNET, enabling connection to the VM via Azure Bastion. However, in a deployment to the Prod subscription for the same customer, an authorization failure occurs when attempting to connect to the Bastion-hosted VM through the Azure portal.

When inspecting the network through Chrome tools, an authorization error is visible.

User's image

The error details are as follows:

"com.azure.core.management.exception.ManagementException: Status code 403, \"{\"error\":{\"code\":\"AuthorizationFailed\",\"message\":\"The client '******@any.com' with object id '326f4184-db7f-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/read' over scope '/subscriptions/{subscription_id}/resourceGroups/{vnet_rg}providers/Microsoft.Network/virtualNetworks/{vnet_name}' or the scope is invalid. If access was recently granted, please refresh your credentials.\"}}\"

In the previous installation on the Dev Subscription, there was also no read access to the VNET, yet the connection was successful.

Environment Details

VM and Bastion are deployed in the same VNET but different subnet.
The Bastion subnet is correctly configured (AzureBastionSubnet).
The same deployment template and parameters were used in both subscriptions.

Expected Behavior

Azure Bastion should allow connection to the deployed VM without requiring explicit read permissions to the entire VNET, as experienced in the Dev subscription deployment.

Actual Behavior

Connection attempts fail with a 403 AuthorizationFailed error for Microsoft.Network/virtualNetworks/read.

1 answer

Your answer

Answer 1

Jerald Felix 7,515

Hello Daniel Izzudin Arshad,

Thank you for the excellent and detailed breakdown of the issue. The authorization error you're encountering is very specific, and your investigation is pointing in the right direction.

The core of the issue is that the user attempting to connect via Azure Bastion must have read permissions on both the Bastion host and the target Virtual Network (VNet). The error message confirms this explicitly: the client does not have authorization to perform the action Microsoft.Network/virtualNetworks/read.

The "Dev vs. Prod" Inconsistency

The key to understanding the discrepancy between your Dev and Prod subscriptions lies in how permissions are often configured in different environments:

Dev Subscription: It is highly likely that in the Dev environment, the user had implicit Reader access at a higher scope, such as the resource group or the entire subscription. This is common in less restrictive development environments. This inherited permission satisfied Bastion's requirement to read the VNet properties, so the connection worked without an explicit role assignment on the VNet itself.
Prod Subscription: Production environments typically follow a principle of least privilege, meaning permissions are more granular and locked down. In this case, the user likely does not have those broad, inherited permissions, which exposes the fact that the direct Microsoft.Network/virtualNetworks/read permission is missing.

The behavior you are seeing in the Prod subscription is the correct and expected behavior. Azure Bastion needs to read the VNet's configuration to establish the connection path, and the user initiating that connection must have the rights to do so.

The Solution

To resolve this, you must grant the necessary permissions to the user in the production environment. You have two primary options:

Assign the Built-in "Reader" Role (Easiest):

Navigate to the Virtual Network resource in the Azure portal.

  Go to **Access control (IAM)**.
  
     Click **Add** > **Add role assignment**.
     
        Select the **Reader** role.
        
           Assign it to the user or group that needs to connect via Bastion.
           
           **Create a Custom Role (Least Privilege)**:
           
              For a more granular, security-focused approach, you can create a custom role that contains *only* the required permissions for Bastion access. The essential permissions are:
              
                    **`Microsoft.Network/virtualNetworks/read`** (as indicated by your error)
                    
                          **`Microsoft.Network/bastionHosts/read`**

By applying one of these role assignments, you will provide the necessary authorization for the user to read the VNet's properties, allowing the Bastion connection to proceed successfully.

Best Regards,

Jerald Felix

Daniel Izzudin Arshad 0 Reputation points

2025-09-11T15:47:58.62+00:00

Hi @Jerald Felix,

Thank you for your response.

We attempted to assign the Reader role to the VNET for the user. However, this isn’t possible because the user resides in a different tenant from where the VNET resources are located. As a result, we’re unable to locate ******@company1.com within the Company2 tenant to grant the required permissions.

This limitation exists because the Bastion was deployed through the Azure Marketplace, and our access as the provider is limited to being part of the Azure Marketplace application owner group within the managed resource group. Unfortunately, this means we cannot access resources outside of that managed resource group.

According to Microsoft documentation, the VNET Reader role is only required when the Bastion is deployed in a peered virtual network separate from the VM’s network. Since both the Bastion and the VM are deployed in the same VNET, shouldn’t the VNET Reader role not be required in this scenario?

Kind regards, Daniel
Jerald Felix 7,515 Reputation points

2025-09-11T15:54:13.22+00:00

Hello Daniel Izzudin Arshad,,

Thank you for the excellent follow-up and for providing that crucial context. The cross-tenant nature of the problem and your point about the documentation are key to understanding this.

You are absolutely correct in your reading of the Microsoft documentation. For a deployment where the VM and Bastion are in the same VNet, the documentation focuses on the roles required for the VM and its NIC. Your attention to detail here is spot-on.

However, the definitive clue in any troubleshooting scenario is the error message itself. The API is returning a clear AuthorizationFailed error for the action Microsoft.Network/virtualNetworks/read. This tells us that regardless of the documented minimums for a standard setup, the specific process being invoked by the Azure portal to initiate the Bastion connection is performing a check that requires read access to the VNet. When there is a discrepancy between documentation and a live API error, the error reflects the immediate requirement that must be satisfied. The Production subscription's stricter permission model is simply exposing this required check, which was likely being satisfied by broader, inherited permissions in the Dev environment.

The Cross-Tenant Solution

Now, let's address the primary challenge: you cannot assign the role because the user is in a different tenant. This is expected behavior, as Azure's Identity and Access Management (IAM) is scoped to its own tenant.

To resolve this, the user from company1.com must be invited into the Company2 tenant as a guest user. Once they have a guest identity within the target tenant, you can assign roles to them.

The administrator for the customer's Company2 tenant will need to perform the following steps:

Navigate to Azure Active Directory in the Azure portal.

Go to Users and select New user > Invite external user.

Enter the email address of the user (e.g., ******@company1.com) and send the invitation.

After the user accepts the invitation, their account will appear as a Guest in the Company2 Azure AD.

Once this is done, the administrator can navigate to the Virtual Network's Access control (IAM) blade, click Add role assignment, select the Reader role, and will now be able to search for and assign it to the guest user's identity.

This will grant the necessary Microsoft.Network/virtualNetworks/read permission to the user's identity within the tenant, satisfying the API's requirement and allowing the Bastion connection to succeed.

Hope this clears things up!

Best Regards,

Jerald Felix
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator

2025-09-15T09:17:29.2566667+00:00

Hi @Daniel Izzudin Arshad,

Just checking in to see if you had a chance to see the previous response posted by @Jerald Felix. Please "Accept the answer" if the information helped you. This will help us and others in the community as well. If you have any further questions do let us know.
Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator

2025-09-16T09:29:52.32+00:00

Hi @Daniel Izzudin Arshad,

Just checking in to see if you had a chance to see the previous response posted by @Jerald Felix. Please "Accept the answer" if the information helped you. This will help us and others in the community as well. If you have any further questions do let us know.

Share via

Unable to Connect to Azure Bastion Host Due to Authorization Error

1 answer

Your answer