Disable auto port blocking of unwanted JIT-Policy

Copper Contributor

I'm running a VM on Azure with ports open.
I recently noticed that Azure is automatically closing ports that were previously open under "Network". From my research, this seems to be caused by a Just-In-Time policy because the name of the rule is like "MDC JIT Network Access rule for policy 'default' of VM...".

However, when I go to "Connect" I can see that a JIT-policy is configured for that port. When I try to configure this policy, I always end up on a JIT welcome page asking me to try the JIT Features free for 30 days. So the function doesn't seem to be active.

My goal is to remove this Just-In-Time policy so that Azure no longer automatically closes my ports. Can someone explain to me how I can do this exactly?

 

_fly_robin_fly__0-1696508189692.png

 

3 Replies

when vm is enabled for JIT access, this rule denies virtual network access. If you wish to allow access to your virtual network, add an inbound rule with higher priority to Allow VirtualNetwork to VirtualNetwork.


If you want to remove JIT access to you VM you can do it from 

Microsoft Defender for Cloud->Workload protection->Just in time access -> configured ->( Select the VM and remove it from configuration)

 

 

govindagoud_0-1696531995891.png

 

@govindagoud 

Thanks for your reply!
When adding a rule with higher priority, azur creates or updates a rule, to again lock the port after some time.

So I have to remove the JIT access of the VM. When navigating to Microsoft Defender for Cloud, it looks like Microsoft Defender is not even active:

_fly_robin_fly__0-1696568887514.png

_fly_robin_fly__1-1696568960354.png

 

Is there another way to remove the JIT-Access? 

@_fly_robin_fly_ 

You may have some JIT policy that was some how created even when your subscription doesnt have Defender for Servers enabled.

Try to delete that JIT policy using API.

Go to Azure portal API playground by following this link

https://ms.portal.azure.com/#view/Microsoft_Azure_Resources/ArmPlayground

 

List all the JIT policies under your subscription using the api described here

https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/list?tabs=HT...

 

Find the JIT policy associated with that VM and delete it

https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies/delete?tabs=...