How to Use Share Controls in Azure Bastion

• Azure Bastion must be deployed in the same virtual network as the target VM.
• Connector version ≥ 2023‑09‑01.
• Role Reader on the Bastion resource for the user who will generate the share link.
• Network security group allowing outbound HTTPS (port 443) from the Bastion host.

Enable Share Controls

From the Azure portal:

1. Navigate to Azure Bastion → your bastion host.
2. Select Configuration → Share controls.
3. Toggle Enable share controls to On and click Save.

Alternatively, use Azure CLI:

az network bastion update \
    --resource-group MyResourceGroup \
    --name MyBastion \
    --enable-share-controls true

Generate a Share Link

While connected to a VM via Azure Bastion:

1. Click the Share icon in the top‑right corner of the Bastion session window.
2. Set an optional expiration (max 24 hours) and click Create link.
3. Copy the generated URL and send it to the intended recipient.

The link looks like:

https://portal.azure.com/#blade/Microsoft_Azure_Bastion/ShareControlBlade/uri/abcd1234efgh5678

Revoke a Share Link

In the Active shares list under the same Share controls pane, click the Revoke button next to a link to terminate access immediately.

REST API

Programmatic creation of share links is supported via the Azure Management REST API.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.Network/bastionHosts/{bastionName}/shareLinks?api-version=2023-09-01

{
  "properties": {
    "targetVmId": "/subscriptions/{subId}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}",
    "sessionType": "RDP",
    "expiration": "2025-09-30T12:00:00Z"
  }
}

Response includes the shareLinkUri which can be handed to end users.