Just In Time access vs Azure Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1111206%22%20slang%3D%22en-US%22%3EJust%20In%20Time%20access%20vs%20Azure%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1111206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20setup%20an%20Azure%20Policy%20that%20blocks%20the%20creation%20of%20NSG%20rule%20with%203389%20from%20an%20Any%20source.%20This%20works%20as%20expected%20when%20I%20try%20to%20create%20NSG%20rules%20manually.%20However%20with%20JIT%20from%20the%20security%20center%20it%20will%20still%20allow%20the%20creation%20of%20NSG%20rules%20from%20Any%20source.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20prevent%20this%20action%20or%20to%20change%20the%20default%20option%20from%20the%20VM%20blade%20to%20by%20My%20IP%20rather%20than%20any%20ip%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENathan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1123520%22%20slang%3D%22en-US%22%3ERe%3A%20Just%20In%20Time%20access%20vs%20Azure%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1123520%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F437206%22%20target%3D%22_blank%22%3E%40nathanmitten%3C%2FA%3E%2C%20I%20don't%20think%20this%20is%20something%20you%20need%20to%20work%20out%20on%20your%20system%20-%20it%20seems%20like%20something%20that%20shouldn't%20be%20happening%20on%20anyone's%20environment.%20We%20suggest%20you%20contact%20support%2C%20and%20they'll%20help%20you%20find%20a%20solution%20(or%20escalate%20it%20if%20this%20needs%20to%20be%20fixed).%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I have setup an Azure Policy that blocks the creation of NSG rule with 3389 from an Any source. This works as expected when I try to create NSG rules manually. However with JIT from the security center it will still allow the creation of NSG rules from Any source.

 

Is there any way to prevent this action or to change the default option from the VM blade to by My IP rather than any ip?

 

Nathan

1 Reply
Highlighted

Hi @nathanmitten, I don't think this is something you need to work out on your system - it seems like something that shouldn't be happening on anyone's environment. We suggest you contact support, and they'll help you find a solution (or escalate it if this needs to be fixed).