Enable a Shareable Link for Azure Bastion Host

Sometimes people outside your Azure tenant need access to one of your virtual machines. The best way to solve that is to enable Shareable Links on your bastion host and let users with dedicated links access a specified virtual machine or machine scale set without accessing the Azure Portal.

This article will provide instructions on how to configure this feature.

Prerequisites

• A vNet that’s not peered.
• A Bastion Host with Standard Tier.

Configuration

As the feature of enabling shareable links is still in preview and not available in the Azure Portal, we need to enable it via MS Graph or an equivalent method. I’ve chosen to do this in Terraform.

In Terraform (or your method of choice), we must set the argument shareable_link_enabled to true.

Once we’ve applied this, we’ll get Shareable links as a new setting for our Bastion Host in the portal under Settings. 

Click on Add to create your first shareable link next to the new setting.

In the next step, we can specify which resource group and VM we would like to create our shareable link for.  

Bastion Shareable Link creation is currently only available for resources in the same virtual network and/or in peered virtual networks within the same subscription and region.

When clicking Apply, we get a shareable link that gives access to the chosen VM, even outside your Azure tenant. Whomever you send your new shareable link to will ONLY gain access to the affected VM you decide in this step

The receiver of your shareable link will still need to provide authentication to the actual VM.

Wrap-up

This feature has been available through Rest API since January 2022; however, when we needed this, we couldn’t find any documentation. Now that it’s here, we are so happy. Having the possibility to give access to a particular VM is a much-awaited feature and provides us with a lot of flexibility.

I hope this helped someone.