Introduction
While working with Azure VMs, it is recommended to provide Just In Time (JIT) access to work with VM. But, individual users must have relevant access to request JIT without having Virtual Machine Contributor Role.
Setup required access to use VM using JIT
- Create Azure Active AD Group
- Assign Team members from Developer to Active Directory AD Group
- Create Custom JIT Contributor Role using PowerShell
- Assign custom JIT Contributor Role to Azure AD Group
Powershell Script
$role = Get-AzRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine JIT Request"
$role.Description = "Can request JIT for virtual machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action")
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/*/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
$role.Actions.Add("Microsoft.Network/networkInterfaces/*/read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}/resourceGroups/{resourcegroupname}/")
New-AzRoleDefinition -Role $role
$scope="/subscriptions/{subscriptionid}/resourceGroups/{resourcegroupname}/"
New-AzRoleAssignment -ObjectId {AD Group Object Id} -RoleDefinitionName "Virtual Machine JIT Request" -Scope $scope
Here, replace subscription ID and resource group name with actual value.
Conclusion
Using the principle of least privileged access, we can provide JIT access to AD Group without providing Virtual Machine Contributor Permission.