Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
No possible to disable totally JIT (it gets reenabled every time)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 28.000000000000004%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Rodriguez Antonio
0
Reputation points
Hello,
In order to access easily Linux VM using ssh (and jump box), Customer asked me to eliminate JIT access to VMs in all subscriptions (they have a Defender for Servers Plan 2).
I deleted the JIT per VM going to Defender for Cloud, Cloud Security, Workload Protections, Just-in time VM Access and then delete all VM in the "configured" section. But when I try to access using RDP to one VM using connect in the VM blade, it appears "configure jit + request access" and I have to click it to be able to download the rdp for the VM.
Then, coming back to the Defender for Cloud area (selecting "manage JIT" also), I can see again this VM in the configured area for JIT.
Then, checking Azure Policies the only one I saw related to this is in a policy inside the ASC initiative (per subscription) the policy "Management ports of virtual machines should be protected with just-in-time network access control" but it is in audit mode, and seems it does not support removing jit (allowed values are AuditIfNotExits and disable).
Any experience on this?
thanks!
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
VEMULA SRISAI 5,585 Reputation points Microsoft External Staff Moderator2025-12-19T09:12:23.88+00:00 Hello Rodriguez Antonio,
The reason JIT keeps re‑appearing is because the subscription is onboarded to Microsoft Defender for Servers Plan 2. In Plan 2, JIT is a built‑in protection feature. When the VM exposes SSH/RDP ports, Defender automatically re‑enables JIT—even if you delete it manually.
Azure Policy is not enforcing JIT. Defender for Servers Plan 2 itself enforces the protection and re‑creates the JIT configuration.
To fully disable JIT across all VMs
You must disable Defender for Servers Plan 2 on the subscription or downgrade to Defender for Servers Plan 1.
Path: Defender for Cloud → Environment settings → Select Subscription → Defender Plans → Disable/Change Plan for “Servers Plan 2”
Once Plan 2 is turned off:
- JIT will not be auto-applied
- VMs will stop re‑appearing in JIT “Configured” list
- VM blade will stop showing “Configure JIT + request access”
- RDP/SSH access will behave normally
There is no per‑VM or per‑subscription switch to turn off JIT while still using Plan 2. The only way is removing Plan 2.
Sign in to comment
Sign in to answer