Azure virtual machines are associated with a Just-in-Time (JIT) network access policy that opens management ports only for approved, time-bound requests from specified source IPs.
Risk
Without JIT, management ports like 22/3389 may stay reachable, enabling:
- brute-force and password-spray attempts
- exploitation of remote access flaws or stolen keys This threatens confidentiality (data exfiltration), integrity (unauthorized changes), and availability (service disruption).
prowler azure --checks vm_jit_access_enabled
Recommendation
Enable JIT network access and apply least privilege and zero trust:
- keep admin ports closed by default
- approve only specific IPs, minimal ports (e.g.,
22,3389), and short windows - favor private access (VPN, Bastion)
- layer controls (defense in depth) and audit access requests
Remediation
az rest --method PUT --url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Security/locations/<LOCATION>/jitNetworkAccessPolicies/default?api-version=2020-01-01" --body '{"kind":"Basic","properties":{"virtualMachines":[{"id":"/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>","ports":[{"number":22,"protocol":"","allowedSourceAddressPrefix":[""],"maxRequestAccessDuration":"PT3H"}]}]}}'
- In the Azure portal, go to Microsoft Defender for Cloud
- Select Workload protections > Just-in-time VM access
- Open the Not configured tab, select the VM, and click Enable JIT on VMs
- Keep the default port (22 for Linux or 3389 for Windows) and click Save
Source Code
Resource Type
microsoft.compute/virtualmachines