I am currently trying to prevent users from requesting Azure JIT VM access coming from the Source IP addresses "Any".
According to this thread, https://video2.skills-academy.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source , you could solve this using Azure Policy.
So far I've tried a policy that looks like this:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
},
{
"anyOf": [
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefix",
"notLike": "12.34.56.78"
},
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes",
"notLike": "12.34.56.78"
},
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes[*]",
"notLike": "12.34.56.78"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I initially tried with */32 but I then realized you can't enter IP ranges. Even with this policy, I can still request any IP even though you're only supposed to request the dummy IP 12.34.56.78 (I'm aware that this might be a public IP, this is just on a dummy machine).
I checked sample API calls and even checked the network traffic from the request page but was unable to solve this.
For reference, here's the sample call: https://video2.skills-academy.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/initiate?view=rest-defenderforcloud-2020-01-01&tabs=HTTP#initiate-an-action-on-a-jit-network-access-policy
Checking logs from the JIT "policy", I wasn't even able to find the source IP in the logs.
Part of the network dump looks like this:
Can anyone please help me here or even point me in the right direction on how to get in proper touch with Microsoft? I'd be willing to pay MS support to get this out of the way.
Q&A Assist and Copilot weren't able to solve this.
Best regards,
J