Azure Virtual Machine Just-In-Time Access

What is Just in time Virtual Machine access ?

Just in time virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

JIT VM feature is more like an automated Azure Network Security Group rule set for accessing to any Azure specific VM(s) for a temporary period which can be enabled any set of ports restricted from and to IP/Network range.

Typically, Azure Security Center locks down the inbound traffic to any specific ports and opens a port by creating a Network Security Group rule(s) for an appropriate time and from approved IP addresses(which in most cases would be our Public IP address for our local machines), and only for users with proper permissions.

All the requests are also logged in the Azure Activity Log, so we can easily monitor and audit the access.

How the Azure VM JIT Access works ?

When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that provide write access for the VM. If they have write permissions, the request is approved and Security Center automatically configures the Network Security Groups (NSGs) to allow inbound traffic to the management ports for the amount of time you specified. After the time has expired, Security Center restores the NSGs to their previous state.

NOTE: The Free Tier does not include the JIT VM Access, but you should get an option for a 60 day trial for the Standard Tier that does.

Automating Azure VM Just in Time Access via PowerShell:

# Import Azure RM PSM
Import-Module AzureRM  
# Import Azure SecCenter PSM
Import-Module Azure-Security-Center

# resource group name
$resourceGroup = "ResourceGroupName"
# VM that will be started after updating the NSG
$VMName = "VM-01"
# Get my Public IP - Navigate to "" and get the Public IP
$ipAddress = ""
# paste the local RDP File
$RDPFile = "C:\Users\raghu\Downloads\vs2017-win2016.rdp"
# Hours for access
[int]$hours = 3

$cred = $null
$cred = Get-Credential -Message "Please enter the credentials to Login to Azure"


Login-AzureRmAccount -Credential $cred –SubscriptionId $SubscriptionId -ErrorAction Stop | out-null

# Main powershell script
# Requesting Access to the Azure VM for current public IP Address for RDP for 2 hours
Invoke-ASCJITAccess -ResourceGroupName $resourceGroup -VM $VMName -Port 3389 -Hours $hours -AddressPrefix $ipAddress

$vmDetails = Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName -Status -ErrorAction Stop

# Starting the Azure Virtual Machine if in Deallocated status.
$VMPowerState = (get-culture).TextInfo.ToTitleCase(($vmDetails.statuses)[1].code.split("/")[1])

if ($VMPowerState -eq "Deallocated"){  
    #Starting Azure Virtual machine
    $vmstatus = Start-AzureRMVM -ResourceGroupName $resourceGroup -Name $vmName              
    # Connecting to Azure Virtual Machine by using RDP Settings File
        # Script Sleeps for 2 mins to start the Azure VM.
        Start-Sleep 120
        Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile
        Write-Host "Something went wrong when starting Azure VM Name: $VMName at - $(Get-date -format "dd-MMM-yyyy HH:mm:ss")" -foregroundcolor "red" -backgroundcolor "yellow"
} else {
    Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile

#End of the script

From the above the script we are trying to import two modules:

  1. AzureRM Module
  2. Azure-Security-Center

Where Invoke-ASCJITAccess cmdlet is from Azure-Security-Center Powershell module for requesting the Just in Time Access.

For execution with proper logs, please find the automated powershell script which enables Just-In-Time Access for the Azure Virtual Machine for Security Center: Technet Script Center Link

Raghuram Korukonda

Most of my time I spent working on Azure and contributing to Microsoft Azure and other Open Source Communities. I am passionate about Technology and helping people in embracing it to the fullest.

Hyderabad, India

Subscribe to Cloud Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!