Virtualization, Cloud, Infrastructure and all that stuff in-between

My ramblings on the stuff that holds it all together

RBAC required for Granting JIT access to an Azure VM for a standard user

Azure JIT is a great feature for temporary access to Jump boxes that I use in my home lab – Bastion is better, but I’ve not got as far as setting that up because of some constraints on the networks I created.

I like JIT via the Azure portal as it gives you a quick & dirty way to ensure there is MFA (as long as your AAD account is MFA-enabled to access the Azure portal) behind setting up an RDP request to the jump box (and limited by source port and the firewall rule automatically revoked afterwards by JIT) without having to setup brokers, 2FA sources, more complex security arrangements.

I recently had to share one of these machines with someone else in my AAD org, but despite having reader roles at the Azure subscription they got an error when invoking the JIT role or asking for it by leaving your RDP ports open to the entire Internet – note if you’re making the connection on a shared network behind a NAT like a corporate LAN or university everyone else behind that NAT will also get RDP access to this server; so you still need good password-level authentication to the jump box.

So, a custom RBAC assignment was required (it works ok for owners/contributors at the subscription level).

This Microsoft GitHub page has discussion of the roles required (last post where the case is closed) so I had to create a custom role as shown below, note the Microsoft.Network/*/read permission didn’t exist when I tried it, but as my user has reader at the subscription anyway this wasn’t required for me – So your mileage may vary.

Or, if you prefer the JSON

{

    "properties": {

        "roleName": "VINF_NET-Request-JIT-Access",

        "description": "custom role required for non-global admins to invoke JIT",

        "assignableScopes": [

            "/subscriptions/YOUR_SUBS_ID_HERE"

        ],

        "permissions": [

            {

                "actions": [

                    "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",

                    "Microsoft.Security/locations/jitNetworkAccessPolicies/read",

                    "Microsoft.Security/policies/read",

                    "Microsoft.Compute/virtualMachines/read"

                ],

                "notActions": [],

                "dataActions": [],

                "notDataActions": []

            }

        ]

    }

}

 

Hope that helps

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: