Configuring Just-in-Time Access to a VM
Start course
1h 26m

This course covers how to implement Azure network security. Through a combination of both theory and practical demonstrations, you will learn how to create and configure a range of Azure services designed to keep your network secure.

This includes topics such as virtual network connectivity, the Azure Front Door Service, NSG configuration, Azure firewall configuration, and application security groups. The course then moves on to the configuration of remote access management via just-in-time access and tools that are used to configure baselines.

We’d love to get your feedback on this course, so please give it a rating when you’re finished. If you have any queries or suggestions, please contact us at

Learning Objectives

  • Understand how to implement Azure network security
  • Learn about the various Azure services and methodologies available to secure your network

Intended Audience

This course is intended for IT professionals who are interested in earning Azure certification and for those who work with Microsoft Azure on a daily basis.


To get the most from this course, you should have at least a basic understanding of Azure network resources such as virtual networks, Azure firewalls, and network security groups.



Hello everyone, and welcome back. Now that we've touched on just-in-time access, let's walk through the process of configuring just-in-time access for a VM. Now, you can do this in one of two ways. You can do this right from the VM's properties blade by going into Settings and then Configuration, or you can do it from Security Center. For this demonstration, I'm going to show you the Security Center option.

To do this from Security Center, we're going to open the Security Center dashboard. Now, from the Security Center dashboard, in the left pane here, what we need to do is click on Just in time VM access. And if we scroll down here, it's under the Advanced Cloud Defense area here.

Now, when this just in time access window opens, if just in time access isn't already enabled, you'll receive an option here to enable it. Now, if it's already enabled, like it is here, you're presented with information on the state of existing virtual machines. A status of Configured indicates a VM that's been configured to support just in time VM access. The data for the last week is shown, and it includes info for the VM.

If we go to Activity Log here, we can see information. This would typically include information on the number of approved requests, last access date and time, and last user. We haven't done anything with this VM, so this activity log is pretty barren.

If we go back and we look at Recommended, the Recommended status for VMs indicates that the VM listed here can support just in time VM access, but that it also hasn't been configured yet. So the VMs listed here are VMs that are recommended for just in time VM access, but I haven't configured them yet.

Now, when a status of No recommendation is shown here, and I got two here that show this, this indicates that the VM listed is not recommended for just in time access.

Now, the reasons for this can vary. Most commonly this is due to a network security group not being in place for the VM because the just in time solution requires a network security group to be in place first.

Now, what I'm going to do here is click the Recommended tab, and under the virtual machines here, I'm going to select this EX1 virtual machine here, and I'm going to enable it.

Now, notice the check mark here. And what I'm going to do is enable just in time. Now, clicking that enable just in time displays the default ports that are recommended by Azure Security Center. Now, however, I could also configure custom ports as well, by clicking the Add button here. But for this demonstration, I'll accept the default ports.

For each port that I want to configure, I can customize quite a few things here. I can customize the protocol type, which is the protocol that's allowed on this port when a request is approved. I can also customize the allowed source IPs, which specifies the ranges that are allowed on this port when that request is approved. And I can also customize the maximum request time. This refers to the maximum time window during which a specific port can be opened.

I'm going to close this here. And then if I click Add here, I could add additional ports that I want to configure for this access. I'll close this out. Now, when I'm happy with my settings, all I do is click Save and this saves my configuration. And with that, we can see that just in time access is configured for my virtual machine.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.