Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,427 questions
Azure Policy not working with Def. JIT (- Do not allow Any as source)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 14.000000000000002%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJE%3C/text%3E%3C/svg%3E)
Jara Entren
25
Reputation points
I am currently trying to prevent users from requesting Azure JIT VM access coming from the Source IP addresses "Any".
According to this thread, https://video2.skills-academy.com/en-us/answers/questions/846584/azure-vm-jit-do-not-allow-any-as-source , you could solve this using Azure Policy.
So far I've tried a policy that looks like this:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
},
{
"anyOf": [
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefix",
"notLike": "12.34.56.78"
},
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes",
"notLike": "12.34.56.78"
},
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/requests[*].virtualMachines[*].ports[*].allowedSourceAddressPrefixes[*]",
"notLike": "12.34.56.78"
}
]
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
I initially tried with */32 but I then realized you can't enter IP ranges. Even with this policy, I can still request any IP even though you're only supposed to request the dummy IP 12.34.56.78 (I'm aware that this might be a public IP, this is just on a dummy machine).
I checked sample API calls and even checked the network traffic from the request page but was unable to solve this. For reference, here's the sample call: https://video2.skills-academy.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/initiate?view=rest-defenderforcloud-2020-01-01&tabs=HTTP#initiate-an-action-on-a-jit-network-access-policy
Checking logs from the JIT "policy", I wasn't even able to find the source IP in the logs.
Q&A Assist and Copilot weren't able to solve this.
Thanks to @kobulloc-MSFT I was able to get paid Microsoft Azure Dev Dev support for free and they suggested the following policy:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Security/locations/jitNetworkAccessPolicies"
},
{
"count": {
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*]",
"where": {
"count": {
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*].number",
"equals": "3389"
},
{
"field": "Microsoft.Security/locations/jitNetworkAccessPolicies/virtualMachines[*].ports[*].allowedSourceAddressPrefix",
"equals": "*"
}
]
}
},
"greater": 0
}
},
"greater": 0
}
]
},
"then": {
"effect": "deny"
}
}
}
Them suggesting this policy implicates to me, that they expect this to work as expected and fix my issue. Unfortunately the policy didn't do anything.
After waiting a long time I received this message from them indicating to me, that it doesn't work properly as expected - they also included a request:
"
Following a discussion with the internal team, it has been confirmed that blocking access when Just-In-Time (JIT) has already been enabled is not feasible. The policy does not recognize the POST request as an actionable item (refer to the details below).
{
"requests": [
{
"content": {
"virtualMachines": [
{
"id": "/subscriptions/703b95e0-2d8d-424d-ae41-0e985775d59d/resourcegroups/test/providers/Microsoft.Compute/virtualMachines/reasreas",
"ports": [
{
"number": 3389,
"duration": "PT3H",
"allowedSourceAddressPrefix": "*"
}
]
}
]
},
"httpMethod": "POST",
"name": "fca74d92-5fff-4147-836e-73610d96f0d3",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Compute."
},
"url": "https://management.azure.com/subscriptions/703b95e0-2d8d-424d-ae41-0e985775d59d/resourceGroups/test/providers/Microsoft.Security/locations/eastus/jitNetworkAccessPolicies/default/initiate?api-version=2015-06-01-preview"
}
]
}
The only aspect that can be restricted is the initial enablement of JIT, as per the policy I previously shared.
"
To me it seems like the fact that it doesn't recognize the POST request is either really counterintuitive or the feature is absolutely flawed. Keep in mind that to me, Azure Policy is meant to be able to manage every part of Azure, that's why this behaviour seems really confusing to me.
Work with the support team is rather slow right now, this is why I am taking this to you.
I'd love if someone from the Azure Policy team would get in touch so we can chat about this and find a solution to this. I'm already in talks with the Virtual Machine team seperately.
This is my previous article, similar to this one but updated - read any steps we already took there: https://video2.skills-academy.com/en-us/answers/questions/1666253/azure-policy-vm-jit-do-not-allow-any-as-source
Please be advised of these similar posts where the same problems were encountered:
Here you can see that Azure Policy is listed as a solution even though it doesn't work (anymore?)
No solution was found here, users also observed that the aliases do not work.
To summarize again: I think this feature is bugged or flawed, since multiple users & engineers encounter this feature not working as intended. Especially since it just overwrites NSG policies set with Azure Policy. Please take a look at this.
Best regards,
J
Sign in to answer