This chapter covers Just-in-Time (JIT) VM Access, a critical security feature in Microsoft Defender for Cloud that reduces exposure to brute-force attacks by locking down inbound traffic to VMs. For the AZ-104 exam, JIT is tested under objective 4.5 (Manage security posture) and appears in approximately 5-8% of questions, often as part of secure access scenarios or as a correct answer for reducing attack surface. This chapter provides a deep, exam-focused understanding of how JIT works, its configuration, and common pitfalls.
Jump to a section
Just-in-Time VM Access is like a VIP airport lounge that only opens its doors when a specific flight is boarding. Normally, the lounge door is always locked and invisible to passersby—no one can even see it exists. When a passenger is cleared for boarding, the system temporarily unlocks the door for exactly 30 minutes, records their identity, and logs their entry. After boarding, the door locks again and disappears. If someone tries to enter without a valid boarding pass or after the window closes, the door remains locked and security is alerted. The network security group (NSG) acts as the door, the Azure AD identity is the boarding pass, and the Just-in-Time policy is the flight schedule. Without JIT, the door would be unlocked 24/7, exposing the lounge to any passerby who finds it. With JIT, access is granted only when needed, for a limited time, and fully audited.
What is Just-in-Time VM Access and Why Does It Exist?
Just-in-Time (JIT) VM Access is a feature of Microsoft Defender for Cloud that provides time-bound, policy-governed access to Azure virtual machines. Its primary purpose is to reduce the attack surface by eliminating always-open inbound ports, such as RDP (3389) and SSH (22). Instead of leaving these ports open 24/7, JIT creates temporary, user-specific rules in the Network Security Group (NSG) or Azure Firewall that allow access only for a requested duration, after which the rules are automatically removed.
The problem JIT solves is straightforward: many organizations leave RDP or SSH open to the internet for management purposes, making VMs vulnerable to brute-force attacks and port scanning. According to Microsoft telemetry, VMs with open management ports experience thousands of brute-force attempts daily. JIT reduces this exposure by ensuring that the port is open only when an authorized user requests access and only for the time needed.
How JIT Works Internally
JIT operates through a combination of Azure policies, Defender for Cloud, and NSG or Firewall rules. The mechanism involves several steps:
Policy Definition: An administrator defines a JIT policy for a VM or a set of VMs. The policy specifies which ports (e.g., 3389, 22), source IPs (or 'Any' with approval), and maximum access duration (default 3 hours, configurable from 1 to 24 hours).
Request Initiation: When a user needs access, they initiate a JIT request through the Azure portal, Azure CLI, REST API, or PowerShell. The request includes the VM, port, source IP, and duration.
Approval: If the policy requires approval (e.g., via Azure AD Privileged Identity Management - PIM), the request goes through an approval workflow. Once approved (or if auto-approved), Defender for Cloud creates a temporary rule.
Rule Creation: Defender for Cloud interacts with the Azure Resource Manager to modify the NSG (or Azure Firewall policy) associated with the VM's network interface or subnet. It adds an inbound rule that allows traffic from the requested source IP to the specified port for the requested duration. The rule has a high priority (lower number) to override any existing deny rules.
Access: The user can now connect to the VM using the allowed port. The rule is active for the requested duration.
Rule Removal: After the duration expires, Defender for Cloud automatically removes the temporary rule. If the user finishes early, they can manually close the session in the portal, which triggers immediate rule removal.
Audit: All requests and rule changes are logged in Azure Activity Log. Defender for Cloud provides a JIT access log showing who requested access, when, for how long, and from which IP.
Key Components, Values, Defaults, and Timers
Maximum Access Duration: Default is 3 hours. Can be configured from 1 to 24 hours. For exam purposes, remember the default is 3 hours, but it's configurable.
Ports: Typically RDP (3389) and SSH (22). Can be any TCP port. The policy must specify the port and protocol.
Source IP: Can be 'Any' (requires approval) or a specific IP range. If 'Any' is allowed, the user's client IP is used as the source in the temporary rule.
NSG Priority: The temporary rule is created with a priority of 100 (or configurable). This is lower than default deny rules (usually 65000), so it takes precedence.
Time-to-Live: The rule is removed exactly at the end of the requested duration. There is no grace period.
Approval Workflow: Optional. Can be integrated with Azure AD PIM for just-in-time role activation. If enabled, the user must first activate a role (e.g., 'JIT Access Approver') to approve requests.
Supported VM Types: All VMs with managed disks and a standard NSG. Classic VMs are not supported. VMs behind Azure Firewall are supported with Azure Firewall policy.
Configuration and Verification Commands
To enable JIT via Azure CLI:
# Enable JIT on a VM with default settings
az vm jit-policy enable --resource-group MyResourceGroup --name MyVM
# Enable with custom ports and max duration
az vm jit-policy enable --resource-group MyResourceGroup --name MyVM --ports 3389 22 --max-duration 2hTo request access:
# Request access to a VM via JIT
az vm jit-policy request --resource-group MyResourceGroup --name MyVM --port 3389 --duration 1hTo verify JIT status:
# List JIT policies
az vm jit-policy list --resource-group MyResourceGroup
# Show JIT policy details
az vm jit-policy show --resource-group MyResourceGroup --name MyVMTo view JIT access logs (via Azure CLI):
az monitor activity-log list --resource-group MyResourceGroup --query "[?contains(operationName.value, 'JitNetworkAccessPolicyInitiate')]"How JIT Interacts with Related Technologies
NSG: JIT creates temporary NSG rules. It does not modify the VM's firewall (Windows Firewall). The VM's OS firewall must still allow the port for JIT to work.
Azure Firewall: JIT can also work with Azure Firewall by creating temporary DNAT rules. This requires Azure Firewall Premium or Standard with policy mode.
Azure AD PIM: JIT can be integrated with PIM for approval workflows. This adds an extra layer of security: users must activate a role before they can request JIT access.
Defender for Cloud: JIT is a Defender for Cloud feature. It requires Defender for Cloud's 'Defender for Servers' plan to be enabled (Standard tier). Without it, JIT cannot be used.
Azure Bastion: Bastion provides always-on, secure RDP/SSH access via TLS without exposing public IPs. JIT is different: it temporarily opens ports to the internet. Bastion is often a better solution for management access, but JIT can be used as an alternative or complement.
Exam-Specific Details
JIT is not available for VMs with unmanaged disks.
JIT does not support classic VMs (ASM).
The default max duration is 3 hours, but can be changed at policy creation.
JIT rules are created in the NSG attached to the VM's NIC or subnet. If multiple NSGs are applied, the effective rule is the union, and JIT adds to the NIC NSG.
JIT cannot override explicit 'Deny' rules that have a lower priority than 100. If a deny rule exists with priority <100, JIT will fail.
JIT access requests can be made via Azure portal, CLI, PowerShell, or REST API.
JIT access is logged in Azure Activity Log under 'JitNetworkAccessPolicyInitiate'.
Define JIT Policy
An administrator configures a JIT policy for a VM via Defender for Cloud. They specify allowed ports (e.g., 3389, 22), protocol (TCP), maximum request duration (default 3 hours), and whether approval is required. The policy is stored as a JIT network access policy resource in Azure. This policy applies to the VM's NSG. The administrator can also set allowed source IPs; if 'Any' is selected, the user's public IP is used in the request.
User Requests Access
A user initiates a JIT request via Azure portal, CLI, PowerShell, or API. The request includes the VM name, port, source IP (automatically detected if not specified), and requested duration (up to the maximum allowed). The request is sent to Defender for Cloud. If approval is not required, the request proceeds to rule creation. If approval is required, it moves to the approval step.
Approval (Optional)
If the JIT policy requires approval, the request enters a workflow. Approvers are defined in Azure AD PIM as 'JIT Access Approvers'. They receive a notification and can approve or deny via portal or email. Approval is time-bound (typically 1 hour). Once approved, the request moves to rule creation. If denied, the user is notified and no rule is created. This step integrates with PIM to reduce standing access.
Temporary Rule Created
Defender for Cloud uses the Azure Resource Manager to add an inbound security rule to the VM's NSG. The rule allows TCP traffic from the user's source IP to the requested port with priority 100 (or configured). The rule's name includes 'JIT_' and a timestamp. The rule is created immediately after approval (or request if auto-approved). The VM's OS firewall must also allow the connection; JIT does not modify OS firewall rules.
Access and Monitoring
The user connects to the VM via RDP or SSH using the allowed port. The connection is established through the NSG rule. Meanwhile, Defender for Cloud logs the access event in Azure Activity Log. The user can monitor their active sessions in the portal. If they finish early, they can manually close the session, which triggers immediate rule removal. Otherwise, the rule remains for the full requested duration.
Rule Removal
When the requested duration expires, Defender for Cloud automatically removes the temporary NSG rule. This ensures the port is no longer open to the user's IP. If the user closes the session early, the rule is removed immediately. The removal is also logged. After removal, the VM returns to its default state where the port is blocked (unless a permanent rule exists). This completes the JIT cycle.
Scenario 1: Enterprise Remote Administration
A large financial services company manages hundreds of Windows and Linux VMs in Azure. They previously left RDP (3389) and SSH (22) open to the internet from specific corporate IP ranges. Despite IP restrictions, they experienced occasional brute-force attacks from compromised internal machines. They deployed JIT across all production VMs, requiring approval for any access. Now, engineers must request JIT access through a ticketing system integrated with Azure AD PIM. Approvers are on-call security engineers. The maximum access duration is set to 2 hours. This reduced the attack surface by over 95% and eliminated brute-force attempts entirely. Misconfiguration occurred when an engineer set the max duration to 24 hours for a critical VM, defeating the purpose; the security team now enforces a 4-hour limit via Azure Policy.
Scenario 2: Multi-Tier Application Debugging
A SaaS company runs a three-tier application with web, app, and database VMs. Developers occasionally need direct RDP access to app servers for debugging. Previously, they used a jump box with a public IP, which became a single point of failure and required constant patching. They enabled JIT on all app servers, with auto-approval for the development team. Each developer can request access for up to 4 hours. The NSG rules are scoped to the developer's home IP. This eliminated the need for a jump box and reduced administrative overhead. One issue: when developers forgot to close sessions, the rules expired automatically after 4 hours, but sometimes they were in the middle of debugging. They now request 8-hour sessions during planned debug windows.
Scenario 3: Compliance-Driven Access Control
A healthcare organization must comply with HIPAA regulations requiring strict access controls and auditing. They use JIT for all VM access, with mandatory approval via PIM. Every request is logged, and the logs are exported to Azure Log Analytics for retention. They configured alerts for any denied access attempts. The maximum duration is set to 1 hour to minimize exposure. A common problem: when a user's request is approved but the rule doesn't create due to an NSG conflict (e.g., a deny rule with priority lower than 100), the user gets an error. They resolved this by ensuring all NSGs have a deny-all rule with priority 4096, leaving room for JIT rules at priority 100. They also use Azure Firewall with JIT for VMs in a hub-spoke topology.
What AZ-104 Tests on JIT VM Access
JIT VM Access is tested under objective 4.5: 'Manage security posture' and 'Implement Just-in-Time VM access'. Expect questions that assess your understanding of JIT's purpose, prerequisites, and behavior. The exam focuses on:
Prerequisites: VMs must have managed disks and be in Defender for Cloud with Standard tier (Defender for Servers). Classic VMs are not supported.
Default max duration: 3 hours (configurable 1-24 hours).
Ports: Typically RDP (3389) and SSH (22), but any TCP port is allowed.
Rule creation: JIT adds rules to the NSG, not the VM's OS firewall.
Approval: Can be integrated with Azure AD PIM for approval workflows.
Logging: Requests are logged in Azure Activity Log under 'JitNetworkAccessPolicyInitiate'.
Common Wrong Answers and Why
'JIT modifies the VM's Windows Firewall' – Wrong. JIT works at the NSG level, not the OS firewall. The OS firewall must still allow the traffic. Candidates confuse NSG rules with host firewall.
'JIT requires Azure Bastion' – Wrong. JIT is independent of Bastion. Bastion provides always-on secure access; JIT provides time-bound direct access. They are complementary.
'JIT default max duration is 1 hour' – Wrong. The default is 3 hours. Candidates often guess 1 hour because it's a common timeout value.
'JIT works with classic VMs' – Wrong. Classic VMs (ASM) are not supported. Only Resource Manager VMs with managed disks.
'JIT requires a public IP on the VM' – Wrong. JIT works with VMs that have a public IP or are behind a load balancer with inbound NAT rules. The NSG rule allows traffic to the VM's private IP if the traffic arrives via a public IP or load balancer.
Numbers and Terms to Memorize
Default max duration: 3 hours (configurable 1-24 hours).
Priority of JIT rule: 100 (default, configurable).
Supported ports: any TCP port.
Required Defender for Cloud plan: Defender for Servers (Standard).
Activity Log operation name: 'JitNetworkAccessPolicyInitiate'.
Edge Cases and Exceptions
If a VM has multiple NSGs (NIC and subnet), JIT adds the rule to the NIC NSG only. If the subnet NSG has a deny rule with higher priority, the JIT rule may not take effect.
JIT does not support UDP ports.
JIT cannot be used with VMs that have unmanaged disks.
If a user's IP changes after the rule is created, the rule remains for the original IP; the user must request a new session.
How to Eliminate Wrong Answers
If an answer mentions 'Windows Firewall', it's likely wrong unless the question specifically says 'OS firewall'.
If an answer says 'always open' or 'permanent', it's wrong because JIT is temporary.
If an answer says 'requires public IP', it's wrong because JIT works with private IPs through load balancers or NAT.
If an answer says 'default max duration is 24 hours', it's wrong; default is 3 hours.
JIT reduces attack surface by opening ports only when needed and only to requesting user's IP.
Default maximum access duration is 3 hours (configurable 1-24 hours).
JIT rules are created in the NSG with priority 100 by default.
JIT requires Defender for Cloud's Defender for Servers plan (Standard tier).
JIT does not modify the VM's OS firewall; OS firewall must allow the port.
JIT supports only TCP ports; UDP is not supported.
JIT works only with ARM VMs with managed disks; classic VMs are not supported.
Access requests are logged in Azure Activity Log as 'JitNetworkAccessPolicyInitiate'.
These come up on the exam all the time. Here's how to tell them apart.
Just-in-Time VM Access
Temporarily opens specific ports (e.g., 3389, 22) to the internet via NSG rules.
Requires Defender for Cloud Standard tier (Defender for Servers).
Supports any TCP port, not just RDP/SSH.
Access is time-bound (default max 3 hours, configurable 1-24 hours).
Provides full audit trail of access requests and rules.
Azure Bastion
Provides always-on secure RDP/SSH access via TLS over port 443.
Requires Azure Bastion service (paid, Standard SKU for managed domains).
Only supports RDP and SSH (no custom ports).
No time limit on sessions; sessions are persistent until disconnected.
Auditing is through Azure Monitor and Bastion diagnostics logs.
Mistake
JIT modifies the VM's operating system firewall.
Correct
JIT only creates temporary rules in the Azure Network Security Group (NSG) attached to the VM's NIC or subnet. It does not alter Windows Firewall or iptables. The OS firewall must still be configured to allow the traffic.
Mistake
JIT requires Azure Bastion to function.
Correct
JIT is independent of Azure Bastion. Bastion provides always-on secure RDP/SSH access via TLS without exposing public IPs. JIT temporarily opens ports to the internet. They can be used together or separately.
Mistake
JIT default maximum access duration is 1 hour.
Correct
The default maximum duration is 3 hours. It can be configured between 1 and 24 hours. The 1-hour value is a common misconception because it's a typical session timeout.
Mistake
JIT works with classic (ASM) VMs.
Correct
JIT only supports Azure Resource Manager (ARM) VMs with managed disks. Classic VMs (ASM) are not supported. This is a common exam trap.
Mistake
JIT automatically closes the RDP/SSH session when the timer expires.
Correct
JIT only removes the NSG rule after the duration expires. It does not terminate active sessions. The existing connection remains until the user disconnects or the session times out at the OS level.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default maximum duration is 3 hours. It can be configured between 1 and 24 hours when creating the JIT policy. On the exam, remember 3 hours as the default, but know it's configurable.
Yes, JIT can work with Azure Firewall (Standard or Premium with policy mode). It creates temporary DNAT rules instead of NSG rules. This is useful in hub-spoke topologies where traffic goes through Azure Firewall.
Yes, JIT can be used for VMs without a public IP if they are accessed through a load balancer or Azure Bastion. The NSG rule allows traffic to the VM's private IP, but the traffic must arrive via a public endpoint (e.g., load balancer's public IP with inbound NAT rule).
The rule remains for the original IP. The user must request a new JIT session from their new IP. The old rule will expire after the requested duration or can be manually closed.
No, JIT is only available for VMs deployed via Azure Resource Manager (ARM) with managed disks. Classic VMs (ASM) are not supported. Also, the VM must be in a region where Defender for Cloud is available.
JIT access requests are logged in Azure Activity Log. You can view them in the Azure portal under 'Activity Log' with operation name 'JitNetworkAccessPolicyInitiate'. You can also use Azure CLI or PowerShell to query the logs.
Yes, you can use Azure Policy to enforce JIT policies across your organization. For example, you can create a policy that requires all VMs with public IPs to have JIT enabled, or that sets a maximum duration.
You've just covered Just-in-Time VM Access — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?