Blog Post

Azure Architecture Blog
1 MIN READ

Azure Policy- Prevent The Use Of Wildcard For Source In Azure Just In Time

bonJoeV's avatar
bonJoeV
Icon for Microsoft rankMicrosoft
Oct 15, 2020
You want to use Just In Time access for Azure VMs, but do not want the users to select all available IPs when requesting the access. Try this policy out to prevent this from happening:       ...
Updated Oct 15, 2020
Version 1.0
apps & devops
infrastructure
aniket93's avatar
aniket93
Copper Contributor
Jun 19, 2023

Updated Policy Definition

 

{
    "mode": "All",
    "policyRule": {
        "if": {
            "allOf": [{
                "field": "type",
                "equals": "Microsoft.Network/networkSecurityGroups"
            }, {
                "count": {
                    "field": "Microsoft.Network/networkSecurityGroups/securityRules[*]",
                    "where": {
                        "allOf": [{
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix",
                            "equals": "*"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].access",
                            "equals": "Allow"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].direction",
                            "equals": "Inbound"
                        }, {
                            "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].name",
                            "contains": "MicrosoftDefenderForCloud-JITRule"
                        }, {
                            "anyOf": [{
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                "equals": "22"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange",
                                "equals": "3389"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
                                "equals": "22"
                            }, {
                                "field": "Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges",
                                "equals": "3389"
                            }]
                        }]
                    }
                },
                "greater": 0
            }]
        },
        "then": {
            "effect": "deny"
        }
    },
    "parameters": {}
}