Search code examples
azureazure-virtual-machine

Azure Just-In-Time access: How to request Just-In-Time access outside of Azure Portal?

I've configured Just-In-Time access for my VM in Azure and it works. However, every time I have to go to Azure Portal to request the Just-In-Time access, is there any alternative to Azure Portal to request the Just-In-Time access?

enter image description here

How to request Just-In-Time access outside of Azure Portal?

Solution

  • I tried to reproduce the same in my environment and got the results like below:

    You can make use of PowerShell command Request Just-In-Time access like below:

    $JitPolicy = (@{    
     id="/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.Compute/virtualMachines/VMNAME";
     ports=(@{
          number=22;
          protocol="*";
          allowedSourceAddressPrefix=@("*");
          maxRequestAccessDuration="PT3H"},
          @{
          number=3389;
          protocol="*";
          allowedSourceAddressPrefix=@("*");
          maxRequestAccessDuration="PT3H"})})

    Connect with PowerShell environment to your azure ad After that create a Jit policy like below:

    enter image description here

    The port 22 and 3389 for rdp access will have maximum request access duration of three hours;

    • $JitPolicyArr=@($JitPolicy)
     Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "EastUS" -Name "default" -ResourceGroupName "RGNAME" -VirtualMachine $JitPolicyArr

    Then Set-AzJitNetworkAccessPolicy cmd you can request creation of new Jit policy of this machine.

    enter image description here

    You can see new security center Jit rule with port was deny and blocked from outside of azure like below:

    enter image description here

    Now, you can raise a request just in time access using below commend:

    $JitPolicyVm1 = (@{    id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME";
        ports=(@{
           number=22;
           endTimeUtc="2022-12-13T17:00:00.3658798Z";
           allowedSourceAddressPrefix=@("IPV4ADDRESS")})})

$JitPolicyArr=@($JitPolicyVm1)

Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr

    enter image description here

    Now, the request access has been created in the azure portal and allow port 22 for ip address like below:

    enter image description here

    Alternatively, you can make use of this reference:

    Automate Just In Time VM Access Request with PowerShell by Charbel nemnom

    Enabling and Scripting Azure Virtual Machine Just-In-Time Access – Kloud Blog by Darren Robinson