Implement just-in-time VM access

  • 10 minutes

Just-in-time (JIT) virtual machine (VM) access is used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

When you enable JIT VM Access for your VMs, you next create a policy that determines the ports to help protect, how long ports should remain open, and the approved IP addresses that can access these ports. The policy helps you stay in control of what users can do when they request access. Requests are logged in the Azure activity log, so you can easily monitor and audit access. The policy will also help you quickly identify the existing VMs that have JIT VM Access enabled and the VMs where JIT VM Access is recommended.

How JIT VM Access works

To use Just-in-Time VM access, you must enable Microsoft Defender for Cloud.

Screenshot of Azure Defender features.

After you enable Defender, you can view which virtual machines have JIT configured. Enable JIT on any virtual machine that isn't Healthy.

Screenshot of the recommended virtual machines page.

For each virtual machine, you're recommended specific ports and access.

Screenshot of port recommendations.

You can accept the recommendations or Add other ports of your choosing.

Screenshot of adding a port with recommended access.

Once everything is in place, users must request access to the virtual machine. You can also monitor the usage of each virtual machine.

Screenshot of requesting access to a virtual machine.