BastionJitVmAccess.json

{
  "properties": {
    "roleName": "Bastion VM Access",
    "description": "Grants the necessary reader access connect to virtual machines via a Bastion Host, including the ability to make JIT requests.",
    "assignableScopes": [],
    "permissions": [
      {
        "actions": [
          "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
          "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
          "Microsoft.Security/policies/read",
          "Microsoft.Compute/virtualMachines/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/networkInterfaces/read",
          "Microsoft.Network/bastionHosts/read",
          "Microsoft.Network/networkWatchers/write",
          "Microsoft.Network/networkWatchers/read",
          "Microsoft.Network/networkWatchers/networkConfigurationDiagnostic/read"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}