Table of Contents
Can Requesters Choose Their Own Access Time with Just-in-Time VM Access?
Master Just-in-Time (JIT) VM access for your AZ-500 exam. Learn how JIT allows users to request access for a specific duration up to a configured maximum, enhancing security by locking down management ports like RDP and SSH until access is approved.
Question
Just-in-Time VM access allows the requester to specify duration of access up to the configured maximum.
A. TRUE
B. FALSE
Answer
A. TRUE
Explanation
The correct answer is A. TRUE. The Just-in-Time (JIT) VM access feature in Microsoft Defender for Cloud is designed to provide users with temporary access, and the requester can specify a duration for their session, which cannot exceed a maximum time limit configured by an administrator.
The requester is able to specify how much time is needed, up to the maximum the service has been configured to allow for the specific VM.
JIT VM Access Workflow
Just-in-Time (JIT) VM access is a security control that locks down inbound traffic to Azure Virtual Machines by default, reducing the attack surface. When a user needs to connect to a VM (for example, via RDP or SSH), they must request access. This process works as follows:
- Configuration: An administrator enables and configures the JIT policy for specific VMs. In this policy, they define which ports will be managed (e.g., TCP 3389 for RDP, TCP 22 for SSH) and, crucially, set the maximum access request time. This value acts as an upper boundary for all access requests, for instance, a maximum of 3 hours.
- Request: A user with sufficient Azure RBAC permissions (such as the Virtual Machine User Login role) goes to the VM’s blade in the Azure Portal or uses PowerShell/API to request access. During the request process, the user is presented with an option to specify the duration they require for access.
- Validation: The user can enter any duration up to the maximum configured by the administrator. If the admin set a 3-hour maximum, the user could request 30 minutes, 1 hour, or the full 3 hours. However, they cannot request a duration longer than the pre-configured maximum.
- Approval and Implementation: Upon successful request, Microsoft Defender for Cloud dynamically modifies the associated Network Security Group (NSG) or Azure Firewall. It adds a temporary “allow” rule with a high priority that permits traffic from the user’s source IP address to the requested port for the specified duration.
- Expiration: Once the requested time expires, the “allow” rule is automatically removed, and the port is once again blocked, returning the VM to its secure, locked-down state.
This dual-control mechanism provides both operational flexibility for the user, who can request only the time they need, and strict governance for the security administrator, who ensures that ports are never left open for an excessive period.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.