Home > front end >  Azure Just-In-Time access: How to request Just-In-Time access outside of Azure Portal?
Azure Just-In-Time access: How to request Just-In-Time access outside of Azure Portal?

Time:12-14

I've configured Just-In-Time access for my VM in Azure and it works. However, every time I have to go to Azure Portal to request the Just-In-Time access, is there any alternative to Azure Portal to request the Just-In-Time access?

enter image description here

How to request Just-In-Time access outside of Azure Portal?

CodePudding user response:

I tried to reproduce the same in my environment and got the results like below:

You can make use of PowerShell command Request Just-In-Time access like below:

$JitPolicy = (@{    
     id="/subscriptions/SUBID/resourceGroups/RGNAME/providers/Microsoft.Compute/virtualMachines/VMNAME";
     ports=(@{
          number=22;
          protocol="*";
          allowedSourceAddressPrefix=@("*");
          maxRequestAccessDuration="PT3H"},
          @{
          number=3389;
          protocol="*";
          allowedSourceAddressPrefix=@("*");
          maxRequestAccessDuration="PT3H"})})

Connect with PowerShell environment to your azure ad After that create a Jit policy like below:

enter image description here

The port 22 and 3389 for rdp access will have maximum request access duration of three hours;

  • $JitPolicyArr=@($JitPolicy)
 Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "EastUS" -Name "default" -ResourceGroupName "RGNAME" -VirtualMachine $JitPolicyArr

Then Set-AzJitNetworkAccessPolicy cmd you can request creation of new Jit policy of this machine.

enter image description here

You can see new security center Jit rule with port was deny and blocked from outside of azure like below:

enter image description here

Now, you can raise a request just in time access using below commend:

$JitPolicyVm1 = (@{    id="/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Compute/virtualMachines/VMNAME";
        ports=(@{
           number=22;
           endTimeUtc="2022-12-13T17:00:00.3658798Z";
           allowedSourceAddressPrefix=@("IPV4ADDRESS")})})

$JitPolicyArr=@($JitPolicyVm1)

Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP/providers/Microsoft.Security/locations/LOCATION/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr

enter image description here

Now, the request access has been created in the azure portal and allow port 22 for ip address like below:

enter image description here

Alternatively, you can make use of this reference:

Automate Just In Time VM Access Request with PowerShell by Charbel nemnom

Enabling and Scripting Azure Virtual Machine Just-In-Time Access – Kloud Blog by Darren Robinson

  • Related