Enable JIT VM Access For AD Group

Introduction

While working with Azure VMs, it is recommended to provide Just In Time (JIT) access to work with VM. But, individual users must have relevant access to request JIT without having Virtual Machine Contributor Role.

Setup required access to use VM using JIT

  • Create Azure Active AD Group
  • Assign Team members from Developer to Active Directory AD Group
  • Create Custom JIT Contributor Role using PowerShell
  • Assign custom JIT Contributor Role to Azure AD Group

Powershell Script

$role = Get-AzRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Virtual Machine JIT Request"
$role.Description = "Can request JIT for virtual machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action")
$role.Actions.Add("Microsoft.Security/locations/jitNetworkAccessPolicies/*/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/read")
$role.Actions.Add("Microsoft.Network/networkInterfaces/*/read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}/resourceGroups/{resourcegroupname}/")
New-AzRoleDefinition -Role $role

$scope="/subscriptions/{subscriptionid}/resourceGroups/{resourcegroupname}/"
New-AzRoleAssignment -ObjectId {AD Group Object Id}  -RoleDefinitionName "Virtual Machine JIT Request" -Scope $scope

Here, replace subscription ID and resource group name with actual value.

Conclusion

Using the principle of least privileged access, we can provide JIT access to AD Group without providing Virtual Machine Contributor Permission.