Azure Policy & VM JIT - Do not allow Any as source

Question

I am currently trying to prevent users from requesting Azure JIT VM access coming from the Source IP addresses "Any".

According to this thread, https://learn.microsoft.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source , you could solve this using Azure Policy.

So far I've tried a policy that looks like this:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefix",
              "notLike": "12.34.56.78"
            },
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes",
              "notLike": "12.34.56.78"
            },
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes[*]",
              "notLike": "12.34.56.78"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

I initially tried with */32 but I then realized you can't enter IP ranges. Even with this policy, I can still request any IP even though you're only supposed to request the dummy IP 12.34.56.78 (I'm aware that this might be a public IP, this is just on a dummy machine).

I checked sample API calls and even checked the network traffic from the request page but was unable to solve this.
For reference, here's the sample call: https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/initiate?view=rest-defenderforcloud-2020-01-01&tabs=HTTP#initiate-an-action-on-a-jit-network-access-policy

Checking logs from the JIT "policy", I wasn't even able to find the source IP in the logs.

Part of the network dump looks like this:

Can anyone please help me here or even point me in the right direction on how to get in proper touch with Microsoft? I'd be willing to pay MS support to get this out of the way.

Q&A Assist and Copilot weren't able to solve this.

Best regards,

J

Answer 1

Hello, @Jara Entren ! I reached out to the Defender for Cloud team and the recommendation was to lock access at the RBAC level. I'll go into more detail below.

How do I prevent users from requesting Azure JIT VM access coming from the Source IP addresses "Any"?

To prevent a user from configuring or editing the JIT policy for a VM, you can assign custom roles to your users that do not contain the Microsoft.Security/locations/jitNetworkAccessPolicies/write action:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#prerequisites

You can set the JIT network policy using Set-AzJitNetworkAccessPolicy and specify the source address prefix with allowedSourceAddressPrefix :

https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#powershell

Additional Reading:

• Enable just-in-time access on VMs

---

I hope this has been helpful! Your feedback is important so please take a moment to accept answers.

If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!