RBAC settings required to allow a non-administrator to request or initiate a JIT session

Today, I faced the challenge to grant a remote consultant temporary access to a VM in Azure.

Since, Bastion may be a cleaner way to access the service, we decided to try JIT via the Azure portal as it gives you a quick and easy access protected with MFA. I decided to AZURE AD federations and granted access to his account on his own domain and request MFA (External Access).

After giving the account permission to login to the VM the user got an error when invoking the JIT. The permission does not allow the user to request JIT. When the user clicked the connect option from Azure portal VM UI, it was showing JIT was not enabled on this particular VM. Therefore, the connection was failing. But JIT was enabled on the VM, and a subscription owner/contributor were able to see “Request Access” when clicked Connect.

I learned that one option will be to use the reader role. But that would have given extra visibility to the VM that I was not interested in exposing.

The solution was to create a custom role at the VM level and assigned the external user to the role.

The permission needed are as follows:

If you prefer to use the JSON, you may use the following:

{
    "properties": {
        "roleName": "Just In Time (JIT) Request",
        "description": "Created by Clopez. Allow non-administrator to request JIT",
        "assignableScopes": [
            "/subscriptions/bdd4aef1-176f-46b9-b150-40930ced4f32/resourceGroups/Falcon1"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
                    "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
                    "Microsoft.Security/policies/read",
                    "Microsoft.Compute/virtualMachines/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

The result was positive, and now the user has the options to request the JIT.

Feel Free to Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.