i want to create a powershell script to request JIT using a service account for azure virtual machines

Question

i want to create a powershell script to request JIT using a service account for azure virtual machines

B Satyanarayana 0

I want to create a powershell script which enables request JIT access for all users using service account instead of each user requesting access every time.

Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-09T15:57:56.01+00:00
Hi B Satyanarayana

I understand you want to create a powershell script to request JIT using a service account for azure virtual machines

Assign Network Contributor or Virtual Machine Contributor roles to service principal

You need to have Az.Security module installed (Install-Module Az.Security).

can you please follow this steps:

Variables

$subscriptionId = "<your-subscription-id>"

$tenantId = "<your-tenant-id>"

$resourceGroup = "<your-resource-group>"

$appId = "<your-service-principal-appid>"

$appSecret = "<your-service-principal-secret>"

Create a Service Principal

$sp = New-AzADServicePrincipal -DisplayName "JITServiceAccount" -Role "Virtual Machine Contributor" -Scope "/subscriptions/<subscription-id>/resourceGroups/$resourceGroup"

Save these for later

$sp.ApplicationId

$sp.Secret

Connect using the service principal

$securePassword = ConvertTo-SecureString $appSecret -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential ($appId, $securePassword)

Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant $tenantId -SubscriptionId $subscriptionId

Get all VMs in resource group

$vms = Get-AzVM -ResourceGroupName $resourceGroup Loop Through Each VM foreach ($vm in $vms) { ... } Get JIT Policy for Each VM $jitPolicies = Get-AzJitNetworkAccessPolicy -ResourceGroupName $resourceGroup $policy = $jitPolicies | Where-Object { $_.VirtualMachines -contains $vm.Id } If No Policy Found if ($policy -eq $null) { Write-Warning "No JIT policy found for VM $($vm.Name). Skipping..." continue } Define Port Access Request $portsRequest = @( @{ Number = 3389 Protocol = "TCP" AllowedSourceAddressPrefix = "*" MaxRequestAccessDuration = "PT3H" } ) Invoke JIT access request Invoke-AzJitNetworkAccessPolicy -ResourceGroupName $resourceGroup ` -Name $policy.Name ` -VirtualMachineId $vm.Id ` -Ports $portsRequest ` -Justification "Automated JIT access via service principal" }

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-10T08:10:07.6366667+00:00

Hi B Satyanarayana

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-11T08:19:40.45+00:00

Hi B Satyanarayana
Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
B Satyanarayana 0 Reputation points

2025-06-11T13:47:17.2766667+00:00

HI I tried above script i get error

Get-AzJitNetworkAccessPolicy: The client 'myid' with object id 'sds' does not have authorization to perform action 'Microsoft.Security/locations/jitNetworkAccessPolicies/read' over scope '/subscriptions/2c/resourceGroups//providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have owner access to subscription
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-12T08:43:15.48+00:00
Hi B Satyanarayana,

Can you please follow these steps:

The error is showing Azure account doesn't have sufficient permissions to perform a Just-in-Time (JIT) Network Access Policy read action,

even if you are an owner at the subscription level.

JIT is a Microsoft defender feature if Defender for Cloud is not enabled, the JIT feature won't work even if you're an Owner on the subscription.

once check permissions with Azure RBAC

Even though you are a owner Microsoft Defender for Cloud you need the Security Reader role permissions

If you have just been assigned permissions, refresh your session

Disconnect-AzAccount Connect-AzAccount

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-13T08:51:31.4733333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T08:26:03.56+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
B Satyanarayana 0 Reputation points

2025-06-16T11:50:55.0133333+00:00

I tried all the above steps and below are error details :

Start-AzJitNetworkAccessPolicy: Cannot validate argument on parameter 'ResourceId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Error 2:

Connect-AzAccount: Authentication failed against tenant 47. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 7'.

Error: 3

Could not find tenant id for provided tenant domain '7'. Please ensure that the provided service principal 'd' is found in the provided tenant domain.

Get-AzJitNetworkAccessPolicy: The client 'v-' with object id '1a5' does not have authorization to perform action 'Microsoft.Security/locations/jitNetworkAccessPolicies/read' over scope '/subscriptions/2c/resourceGroups/RG-VMSS/providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/Jitautomation' or the scope is invalid. If access was recently granted, please refresh your credentials.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T13:39:54.6966667+00:00

Hi B Satyanarayana,

Start-AzJitNetworkAccessPolicy: Argument 'ResourceId' is null or empty

you are calling Start-AzJitNetworkAccessPolicy without specifying the ResourceId parameter, or it’s an empty string.

Replace <subscriptionId>, <resourceGroupName>, <vmName>, and <policyName> with your actual values.

Connect-AzAccount

Run an interactive login specifying the tenant ID

Connect-AzAccount -TenantId "<tenantId>"

use the correct tenant GUID,You can get the tenant ID from the Azure portal

you’re passing a wrong or incomplete tenant domain or ID ('7') which is invalid.

Run this command

Get-AzTenant

To get the tenant id

Authorization error on Get-AzJitNetworkAccessPolicy

The error is showing Azure account doesn't have sufficient permissions to perform a Just-in-Time (JIT) Network Access Policy read action,

Assign appropriate role Security Reader or a custom role with Microsoft.Security/* permissions to service principal.

New-AzRoleAssignment -ObjectId <user-or-sp-objectId> -RoleDefinitionName "Security Reader" -Scope "/subscriptions/<subscriptionId>"

After granting permissions, re-authenticate (Connect-AzAccount) to refresh your credentials

If you have any queries, please do let us know, we will help you.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-17T08:38:01.0533333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.
B Satyanarayana 0 Reputation points

2025-06-17T13:06:20.6066667+00:00
I am still getting the same error :

Can you please what changes are required to be made to the script

I provided security reader,Admin and devops role to Service account still same error message.

here is the script i am using

$tenantId = ""

$appId = ""

$clientSecret = ""

$subscriptionId = ""

$vmResourceId = "/subscriptions/$d6471423-d073-4857-afef-c0957cd42164/resourceGroups/RG-VMSS/providers/Microsoft.Compute/virtualMachines/VM-"

$location = " US"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential ($appId, $secureSecret)

Connect-AzAccount -ServicePrincipal -Credential $creds -TenantId $tenantId -Subscription $subscriptionId

$jitPolicy = Get-AzJitNetworkAccessPolicy -Location $location | Where-Object { $_.VirtualMachines.id -eq $vmResourceId }

$jitVm = @{

Id = $vmResourceId Ports = @( @{ Number = 3389 Protocol = "TCP" AllowedSourceAddressPrefix = "" AllowedSourceAddressPrefixType = "IPAddress" MaxRequestAccessDuration = "PT1H" } )

}

$requestBody = @{

VirtualMachines = @($jitVm)

}

Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/d6471423-d073-4857-afef-c0957cd42164/resourceGroups/-VM/providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr

Aslam Mohammad 400 Microsoft External Staff Moderator

Hi B Satyanarayana,

you cannot use this ServicePrincipal to give other users JIT access unless they also use the same credentials.

you can automate the JIT request from a central service account (like a DevOps pipeline or automation script)

First enable JIT on vms

Go to Defender for Cloud and Workload protections

Select each VM to Just-in-time VM access and Enable JIT

Configure ports RDP 3389 for Windows,

Save the JIT configuration

create a service principal

az ad sp create-for-rbac --name "jit-access-sp" --role "Virtual Machine Contributor" --scopes /subscriptions/<subscription-id>

Replace <subscription-id> with your Azure Subscription ID

Assign Service Principal RBAC Access

Give the SP permissions to the VMs

az role assignment create --assignee <appId> \
  --role "Virtual Machine Contributor" \
  --scope /subscriptions/<subscription-id>/resourceGroups/<rg-name>

Script for Users to Request JIT Access via SP

# Variables from SP
$tenantId = "<tenant>"
$appId = "<appId>"
$secret = "<password>"
# VM Details
$subscriptionId = "<subscription-id>"
$resourceGroup = "<rg-name>"
$vmName = "<vm-name>"
$location = "<region>"   
$port = 22               
# Connect using SP
Connect-AzAccount -ServicePrincipal -Tenant $tenantId -ApplicationId $appId -Credential (ConvertTo-SecureString $secret -AsPlainText -Force)
Set-AzContext -SubscriptionId $subscriptionId
# Get the VM
$vm = Get-AzVM -Name $vmName -ResourceGroupName $resourceGroup
# Request JIT access
Start-AzJitNetworkAccessPolicy -Location $location -Name $vmName `
  -ResourceGroupName $resourceGroup `
  -VirtualMachineId $vm.Id `
  -Port $port `
  -AllowedSourceAddress "<User_Public_IP>" `
  -Duration "01:00:00"

Now run the script

Please refer this document:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?source=recommendations

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.

Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-20T09:24:42.6433333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.

1 answer

Your answer

Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-10T08:10:07.6366667+00:00

Hi B Satyanarayana

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-11T08:19:40.45+00:00

Hi B Satyanarayana
Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
B Satyanarayana 0 Reputation points

2025-06-11T13:47:17.2766667+00:00

HI I tried above script i get error

Get-AzJitNetworkAccessPolicy: The client 'myid' with object id 'sds' does not have authorization to perform action 'Microsoft.Security/locations/jitNetworkAccessPolicies/read' over scope '/subscriptions/2c/resourceGroups//providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/' or the scope is invalid. If access was recently granted, please refresh your credentials.

I have owner access to subscription
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-12T08:43:15.48+00:00

Hi B Satyanarayana,

Can you please follow these steps:

The error is showing Azure account doesn't have sufficient permissions to perform a Just-in-Time (JIT) Network Access Policy read action,

even if you are an owner at the subscription level.

JIT is a Microsoft defender feature if Defender for Cloud is not enabled, the JIT feature won't work even if you're an Owner on the subscription.

once check permissions with Azure RBAC

Even though you are a owner Microsoft Defender for Cloud you need the Security Reader role permissions

If you have just been assigned permissions, refresh your session

Disconnect-AzAccount Connect-AzAccount

If you have any further queries, let me know. If the information is helpful, please click on Upvote.

Thank you.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-13T08:51:31.4733333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T08:26:03.56+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.
B Satyanarayana 0 Reputation points

2025-06-16T11:50:55.0133333+00:00

I tried all the above steps and below are error details :

Start-AzJitNetworkAccessPolicy: Cannot validate argument on parameter 'ResourceId'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Error 2:

Connect-AzAccount: Authentication failed against tenant 47. User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId 7'.

Error: 3

Could not find tenant id for provided tenant domain '7'. Please ensure that the provided service principal 'd' is found in the provided tenant domain.

Get-AzJitNetworkAccessPolicy: The client 'v-' with object id '1a5' does not have authorization to perform action 'Microsoft.Security/locations/jitNetworkAccessPolicies/read' over scope '/subscriptions/2c/resourceGroups/RG-VMSS/providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/Jitautomation' or the scope is invalid. If access was recently granted, please refresh your credentials.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-16T13:39:54.6966667+00:00

Hi B Satyanarayana,

Start-AzJitNetworkAccessPolicy: Argument 'ResourceId' is null or empty

you are calling Start-AzJitNetworkAccessPolicy without specifying the ResourceId parameter, or it’s an empty string.

Replace <subscriptionId>, <resourceGroupName>, <vmName>, and <policyName> with your actual values.

Connect-AzAccount

Run an interactive login specifying the tenant ID

Connect-AzAccount -TenantId "<tenantId>"

use the correct tenant GUID,You can get the tenant ID from the Azure portal

you’re passing a wrong or incomplete tenant domain or ID ('7') which is invalid.

Run this command

Get-AzTenant

To get the tenant id

Authorization error on Get-AzJitNetworkAccessPolicy

The error is showing Azure account doesn't have sufficient permissions to perform a Just-in-Time (JIT) Network Access Policy read action,

Assign appropriate role Security Reader or a custom role with Microsoft.Security/* permissions to service principal.

New-AzRoleAssignment -ObjectId <user-or-sp-objectId> -RoleDefinitionName "Security Reader" -Scope "/subscriptions/<subscriptionId>"

After granting permissions, re-authenticate (Connect-AzAccount) to refresh your credentials

If you have any queries, please do let us know, we will help you.
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-17T08:38:01.0533333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.
B Satyanarayana 0 Reputation points

2025-06-17T13:06:20.6066667+00:00

I am still getting the same error :

Can you please what changes are required to be made to the script

I provided security reader,Admin and devops role to Service account still same error message.

here is the script i am using

$tenantId = ""

$appId = ""

$clientSecret = ""

$subscriptionId = ""

$vmResourceId = "/subscriptions/$d6471423-d073-4857-afef-c0957cd42164/resourceGroups/RG-VMSS/providers/Microsoft.Compute/virtualMachines/VM-"

$location = " US"

$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential ($appId, $secureSecret)

Connect-AzAccount -ServicePrincipal -Credential $creds -TenantId $tenantId -Subscription $subscriptionId

$jitPolicy = Get-AzJitNetworkAccessPolicy -Location $location | Where-Object { $_.VirtualMachines.id -eq $vmResourceId }

$jitVm = @{

Id = $vmResourceId Ports = @( @{ Number = 3389 Protocol = "TCP" AllowedSourceAddressPrefix = "" AllowedSourceAddressPrefixType = "IPAddress" MaxRequestAccessDuration = "PT1H" } )

}

$requestBody = @{

VirtualMachines = @($jitVm)

}

Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/d6471423-d073-4857-afef-c0957cd42164/resourceGroups/-VM/providers/Microsoft.Security/locations/West Central US/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-20T09:24:42.6433333+00:00

Hi B Satyanarayana,

Just checking in to see if you had a chance to review the response provided to your question.

Feel free to reach out if you have any further queries.

If you found the information helpful, please click "Upvote" on the post to let us know and consider accepting the answer as the token of appreciation.

Thank You.

Answer 1

Hello !

Thank you for posting on Microsoft Learn.

In your case, you need to use the Azure Security Center REST API or Az.Security module because JIT VM access is managed via Azure Security Center (Defender for Cloud).

Don't forget that :

You cannot request JIT access on behalf of all users using a single service account, because the access is granted to the requesting identity only
You can automate the JIT request from a central service account (like a DevOps pipeline or automation script) for specific ports, durations, IP ranges
You need RBAC permission: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action

Before you create your script, you need to do the following :

register an Azure AD App with Client Secret
grant it Security Reader and JIT-specific roles at subscription/resource group level.
install the modules:

Install-Module -Name Az.Accounts -Force
Install-Module -Name Az.Security -Force

Then your script :

$tenantId = "<tenant-id>"
$appId = "<client-id>"
$clientSecret = "<client-secret>"
$subscriptionId = "<subscription-id>"
$vmResourceId = "/subscriptions/$subscriptionId/resourceGroups/<rg-name>/providers/Microsoft.Compute/virtualMachines/<vm-name>"
$location = "<vm-region>" 
$secureSecret = ConvertTo-SecureString $clientSecret -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($appId, $secureSecret)
Connect-AzAccount -ServicePrincipal -Credential $creds -TenantId $tenantId -Subscription $subscriptionId
$jitPolicy = Get-AzJitNetworkAccessPolicy -Location $location | Where-Object { $_.VirtualMachines.id -eq $vmResourceId }
$jitVm = @{
    Id = $vmResourceId
    Ports = @(
        @{
            Number = 3389
            Protocol = "TCP"
            AllowedSourceAddressPrefix = "Your.IP.Here/32"
            AllowedSourceAddressPrefixType = "IPAddress"
            MaxRequestAccessDuration = "PT1H"
        }
    )
}
$requestBody = @{
    VirtualMachines = @($jitVm)
}
Start-AzJitNetworkAccessPolicy -Location $location -ResourceId $jitPolicy.Id -VirtualMachine $jitVm

If my answer helped, you don’t forget to the "Upvote" and "Accept the answer" to make it beneficial to other community members reading this thread.

B Satyanarayana 0 Reputation points

2025-06-09T15:17:48.0766667+00:00

@Amira Bedhiafi : I tried running the query but i get below error :

. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names (Parameter 'tenantId')

Could not find tenant id for provided tenant domain '<>'. Please ensure that the provided service principal '<>' is found in the provided tenant domain.

But we have only one tenant. how can i fix this
B Satyanarayana 0 Reputation points

2025-06-13T09:05:26.54+00:00

One last question. Can we run this from cloudshell?
Aslam Mohammad 400 Reputation points Microsoft External Staff Moderator

2025-06-13T12:17:15.7566667+00:00

Hi B Satyanarayana,

Yes, you can run this script in Cloud Shell; just make sure to switch to the PowerShell environment.

Thank you,

Share via

i want to create a powershell script to request JIT using a service account for azure virtual machines

1 answer

Your answer