Note: To complete this lab, you will need an Azure subscription. in which you have administrative access.

You can use Microsoft Defender for Cloud’s just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access. Many times firewalls contain allow rules that leave your VMs vulnerable to attack. JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed.

Skilling tasks

  • Enable JIT on your VMs from the Azure portal.

  • Request access to a VM that has JIT enabled from the Azure portal.

Exercise instructions

Enable JIT on your VMs from Azure virtual machines

Note: You can enable JIT on a VM from the Azure virtual machines pages of the Azure portal.

  1. From the Azure portal, search for and select Virtual machines.

  2. Select the virtual machine you want to protect with JIT.

  3. In the menu, select Configuration.

  4. Under Just-in-time access, select Enable just-in-time.

  5. Under Just-in-time VM access, click on the link that reads Open Microsoft Defender for Cloud.

  6. By default, just-in-time access for the VM uses these settings:

    • Windows machines

      • RDP port: 3389
      • Maximum allowed access: Three hours
      • Allowed source IP addresses: Any

    • Linux machines

      • SSH port: 22
      • Maximum allowed access: Three hours
      • Allowed source IP addresses: Any

  7. By default, just-in-time access for the VM uses these settings:

    • From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

image

  • Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.
  • When you’ve finished editing the ports, select Save.

Request access to a JIT-enabled VM from the Azure virtual machine’s connect page.

Note: When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.

  1. In the Azure portal, open the virtual machines pages.

  2. Select the VM to which you want to connect, and open the Connect page.

    • Azure checks to see if JIT is enabled on that VM.

      • If JIT isn’t enabled for the VM, you’re prompted to enable it.

      • If JIT is enabled, select Request access to pass an access request with the requesting IP, time range, and ports that were configured for that VM.

image

Results: You have explored various methods on how to enable JIT on your VMs and how to request access to VMs that have JIT enabled in Microsoft Defender for Cloud.