Azure Policy not working with Def. JIT (- Do not allow Any as source)

Jara Entren 25 Reputation points
2024-09-23T07:36:48.7833333+00:00

I am currently trying to prevent users from requesting Azure JIT VM access coming from the Source IP addresses "Any".

According to this thread, https://learn.microsoft.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source , you could solve this using Azure Policy.

So far I've tried a policy that looks like this:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefix",
              "notLike": "12.34.56.78"
            },
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes",
              "notLike": "12.34.56.78"
            },
            {
              "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes[*]",
              "notLike": "12.34.56.78"
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

I initially tried with */32 but I then realized you can't enter IP ranges. Even with this policy, I can still request any IP even though you're only supposed to request the dummy IP 12.34.56.78 (I'm aware that this might be a public IP, this is just on a dummy machine).

I checked sample API calls and even checked the network traffic from the request page but was unable to solve this. For reference, here's the sample call: https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/initiate?view=rest-defenderforcloud-2020-01-01&tabs=HTTP#initiate-an-action-on-a-jit-network-access-policy

Checking logs from the JIT "policy", I wasn't even able to find the source IP in the logs.

Q&A Assist and Copilot weren't able to solve this.

Thanks to @kobulloc-MSFT I was able to get paid Microsoft Azure Dev Dev support for free and they suggested the following policy:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
        },
        {
          "count": {
            "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*]",
            "where": {
              "count": {
                "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*]",
                "where": {
                  "allOf": [
                    {
                      "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*].number",
                      "equals": "3389"
                    },
                    {
                      "field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*].allowedSourceAddressPrefix",
                      "equals": "*"
                    }
                  ]
                }
              },
              "greater": 0
            }
          },
          "greater": 0
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

Them suggesting this policy implicates to me, that they expect this to work as expected and fix my issue. Unfortunately the policy didn't do anything.

After waiting a long time I received this message from them indicating to me, that it doesn't work properly as expected - they also included a request:

"
Following a discussion with the internal team, it has been confirmed that blocking access when Just-In-Time (JIT) has already been enabled is not feasible. The policy does not recognize the POST request as an actionable item (refer to the details below).

{
  "requests": [
    {
      "content": {
        "virtualMachines": [
          {
            "id": "/subscriptions/703b95e0-2d8d-424d-ae41-0e985775d59d/resourcegroups/test/providers/Microsoft.Compute/virtualMachines/reasreas",
            "ports": [
              {
                "number": 3389,
                "duration": "PT3H",
                "allowedSourceAddressPrefix": "*"
              }
            ]
          }
        ]
      },
      "httpMethod": "POST",
      "name": "fca74d92-5fff-4147-836e-73610d96f0d3",
      "requestHeaderDetails": {
        "commandName": "Microsoft_Azure_Compute."
      },
      "url": "https://management.azure.com/subscriptions/703b95e0-2d8d-424d-ae41-0e985775d59d/resourceGroups/test/providers/Microsoft.Security/locations/eastus/jitNetworkAccessPolicies/default/initiate?api-version=2015-06-01-preview"
    }
  ]
}

The only aspect that can be restricted is the initial enablement of JIT, as per the policy I previously shared.
"

To me it seems like the fact that it doesn't recognize the POST request is either really counterintuitive or the feature is absolutely flawed. Keep in mind that to me, Azure Policy is meant to be able to manage every part of Azure, that's why this behaviour seems really confusing to me.

Work with the support team is rather slow right now, this is why I am taking this to you.

I'd love if someone from the Azure Policy team would get in touch so we can chat about this and find a solution to this. I'm already in talks with the Virtual Machine team seperately.

This is my previous article, similar to this one but updated - read any steps we already took there: https://learn.microsoft.com/en-us/answers/questions/1666253/azure-policy-vm-jit-do-not-allow-any-as-source

Please be advised of these similar posts where the same problems were encountered:

https://learn.microsoft.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source

Here you can see that Azure Policy is listed as a solution even though it doesn't work (anymore?)

https://learn.microsoft.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source

No solution was found here, users also observed that the aliases do not work.

To summarize again: I think this feature is bugged or flawed, since multiple users & engineers encounter this feature not working as intended. Especially since it just overwrites NSG policies set with Azure Policy. Please take a look at this.

Best regards,

J

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
878 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,370 questions
0 comments No comments
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.