주요 콘텐츠로 건너뛰기

Enable Just-in-Time Access

Implementation Effort: Medium
Security and IT teams must configure policies, permissions, and network settings to enable just-in-time (JIT) access for virtual machines across supported environments.

User Impact: Low
JIT access is managed by administrators; users may request access only when needed, with no impact on daily operations.

Overview

Just-in-Time (JIT) access in Microsoft Defender for Servers helps reduce exposure to brute-force and lateral movement attacks by allowing access to virtual machines only when needed, for specific ports, and for a limited time window. This minimizes the attack surface by ensuring that VMs are not persistently exposed to the internet or internal threats.

Key Capabilities

  • Temporarily opens selected ports (e.g., RDP, SSH) only when access is explicitly requested.
  • Automatically configures deny-all inbound rules in Network Security Groups (NSGs) or Azure Firewall.
  • Supports Azure VMs, AWS EC2 instances (Preview), and Azure Arc-enabled servers 1.

Prerequisites

  • Defender for Servers Plan 2 must be enabled on the subscription.
  • VMs must be deployed through Azure Resource Manager or connected via Azure Arc.
  • Required permissions:
    • To configure JIT: Microsoft.Security/locations/jitNetworkAccessPolicies/write
    • To request access: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action 1

How to Enable JIT Access

  1. Go to Microsoft Defender for Cloud > Inventory.
  2. Select the VM you want to protect.
  3. Under Just-in-time VM access, click Enable JIT.
  4. Configure:
    • Ports to protect (e.g., 22 for SSH, 3389 for RDP)
    • Allowed IP ranges
    • Maximum access duration
  5. Save the policy.

Requesting Access

  • Users with appropriate permissions can request access via the Azure portal, PowerShell, or REST API.
  • Access is granted only for the configured time and IP range.

Failing to enable JIT access can leave VMs exposed to persistent threats and unauthorized access attempts. This capability supports the "Use Least Privilege Access" principle of Zero Trust by ensuring access is granted only when necessary and under strict conditions.

Reference