jikuja commented 1 month ago

Current JIT workflows are incompatible with Iac workflows.

Enablement of JIT creates a new undocumented default deny NSG rule that is conflicting with the IaC created rules.

Re-deployment of IaC then will revert JIT changes.

It should be documented how JIT and IaC should work together and how to onboard machines programmatically without breaking existing IaC templating.

I now have JIT's default deny role on priority 1000 on one subscription and on 4096 on other subscription. It is really hard to write template that works with undocumented internal processes(=Windows Azure Security Resource Provider/8edd93e1-2103-40b4-bd70-6e34e586362d).

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: e4d2c104-84df-a487-8a15-110e535512cb
Version Independent ID: e6cd74cf-b992-2cf6-bb85-d260bd2a1e3a
Content: Enable just-in-time access on VMs - Microsoft Defender for Cloud
Content Source: articles/defender-for-cloud/just-in-time-access-usage.yml
Service: defender-for-cloud
GitHub Login: @dcurwin
Microsoft Alias: dacurwin

PesalaPavan commented 1 month ago

@jikuja Thanks for your feedback! We will investigate and update as appropriate.

ElazarK commented 1 month ago

reassign:dcurwin

dcurwin commented 1 month ago

label:"backlog-item-created"

MicrosoftDocs / azure-docs

Documentation how to enable VM JIT and work with JIT programmatically is missing #122814

Document Details

reassign:dcurwin

label:"backlog-item-created"