Secure your management ports with just-in-time access

Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center's just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM.

For a full explanation about how JIT works and the underlying logic, see Just-in-time explained.

This page teaches you how to include JIT in your security program. You'll learn how to:

  • Enable JIT on your VMs - You can enable JIT with your own custom options for one or more VMs using Security Center, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
  • Request access to a VM that has JIT enabled - The goal of JIT is to ensure that even though your inbound traffic is locked down, Security Center still provides easy access to connect to VMs when needed. You can request access to a JIT-enabled VM from Security Center, Azure virtual machines, PowerShell, or the REST API.
  • Audit the activity - To ensure your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.

Availability

Aspect Details
Release state: General availability
Pricing: Standard tier
Supported VMs: Yes VMs deployed through Azure Resource Manager.
No VMs deployed with classic deployment models. Learn more about these deployment models.
No VMs protected by Azure Firewalls controlled by Azure Firewall Manager
Required roles and permissions: Reader and SecurityReader roles can both view the JIT status and parameters.
To create custom roles that can work with JIT, see What permissions are needed to configure and use JIT?.
To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the Set-JitLeastPrivilegedRole script from the Security Center GitHub community pages.
Clouds: Yes Commercial clouds
Yes National/Sovereign (US Gov, China Gov, Other Gov)

Enable JIT VM access

You can enable JIT VM access with your own custom options for one or more VMs using Security Center or programmatically.

Alternatively, you can enable JIT with default, hard-coded parameters, from Azure Virtual machines.

Each of these options is explained in a separate tab below.

Enable JIT on your VMs from Azure Security Center

Configuring JIT VM access in Azure Security Center

From Security Center, you can enable and configure the JIT VM access.

  1. From Security Center's menu, select Just-in-time VM access.

    The Just-in-time VM access page opens with your VMs grouped into the following tabs:

    • Configured - VMs that have been already been configured to support just-in-time VM access. For each VM, the configured tab shows:
      • the number of approved JIT requests in the last seven days
      • the last access date and time
      • the connection details configured
      • the last user
    • Not configured - VMs without JIT enabled, but that can support JIT. We recommend that you enable JIT for these VMs.
    • Unsupported - VMs without JIT enabled and which don't support the feature. Your VM might be in this tab for the following reasons:
      • Missing network security group (NSG) - JIT requires an NSG to be configured
      • Classic VM - JIT supports VMs that are deployed through Azure Resource Manager, not 'classic deployment'. Learn more about classic vs Azure Resource Manager deployment models.
      • Other - Your VM might be in this tab if the JIT solution is disabled in the security policy of the subscription or the resource group.
  2. From the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on VMs.

    The JIT VM access page opens listing the ports that Security Center recommends protecting:

    • 22 - SSH
    • 3389 - RDP
    • 5985 - WinRM
    • 5986 - WinRM

    To accept the default settings, select Save.

  3. To customize the JIT options:

    • Add custom ports with the Add button.
    • Modify one of the default ports, by selecting it from the list.

    For each port (custom and default) the Add port configuration pane offers the following options:

    • Protocol- The protocol that is allowed on this port when a request is approved
    • Allowed source IPs- The IP ranges that are allowed on this port when a request is approved
    • Maximum request time- The maximum time window during which a specific port can be opened
    1. Set the port security to your needs.

    2. Select OK.

  4. Select Save.

Edit the JIT configuration on a JIT-enabled VM using Security Center

You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.

To edit the existing JIT rules for a VM:

  1. From Security Center's menu, select Just-in-time VM access.

  2. From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

    Editing a JIT VM access configuration in Azure Security Center

  3. Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.

  4. When you've finished editing the ports, select Save.

Request access to a JIT-enabled VM

You can request access to a JIT-enabled VM from the Azure portal (in Security Center or Azure Virtual machines) or programmatically.

Each of these options is explained in a separate tab below.

Request access to a JIT-enabled VM from Azure Security Center

When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.

Requesting JIT access from Security Center

  1. From the Just-in-time VM access page, select the Configured tab.

  2. Mark the VMs you want to access.

    • The icon in the Connection Details column indicates whether JIT is enabled on the network security group or firewall. If it's enabled on both, only the firewall icon appears.

    • The Connection Details column provides the information required to connect the VM, and its open ports.

  3. Select Request access. The Request access window opens.

  4. Under Request access, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. It will only be possible to request access to the configured ports. Each port has a maximum allowed time derived from the JIT configuration you've created.

  5. Select Open ports.

Note

If a user who is requesting access is behind a proxy, the option My IP may not work. You may need to define the full IP address range of the organization.

Audit JIT access activity in Security Center

You can gain insights into VM activities using log search. To view the logs:

  1. From Just-in-time VM access, select the Configured tab.

  2. For the VM that you want to audit, open the ellipsis menu at the end of the row.

  3. Select Activity Log from the menu.

    Select just-in-time JIT activity log

    The activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.

  4. To download the log information, select Download as CSV.

Next steps

In this article, you learned how to setup and use just-in-time VM access. To learn why JIT should be used, read the concept article explaining the threats it's defending against: