Managing VM Access
Start course
1h 11m

As companies race toward the cloud, it’s imperative that IT professionals keep up with the times. Keeping up with the times means maintaining the ability to deploy and maintain cloud-based solutions – particularly those offered through Microsoft Azure.

In this course, you will learn how to create and manage encryption keys in Azure, prevent and respond to security threats to Azure resources, configure access to Azure applications via single sign-on, manage access to Azure applications, and configure federation with public consumer identity providers like Facebook and Google. 

Learning Objectives

  • Create and import keys in the Azure Key Vault
  • Define, configure, and assess security policies
  • Harden Azure resources against threats
  • Configure single sign-on for SaaS applications
  • Configure federation with public consumer identity providers like Facebook and Google

 Intended Audience

  • People interested in becoming Azure security engineers 


  • General knowledge of IT infrastructure
  • General knowledge of the Azure environment






Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to the VMs when needed. Management ports for a virtual machine don't need to be open all the time. They only need to be open while you are connected to the VM and performing management tasks. When just in time is enabled, security center uses network security group rules to lock down access to the management ports. This greatly reduces the attack surface of the virtual machines. To manage access to your virtual machines using just in time, browse to the security center main menu which is what you see here on the screen. From here you'll want to select just in time VM access under the advanced cloud defense section. 

So let's scroll down here to advanced cloud defense and here we'll see just in time VM access. From this pane just in time VM access provides information on the state of your virtual machines. VMs that have been configured to support just in time VM access are listed under the configured heading. As you can see here I don't have anything configured for just in time in my lab environment quite yet. VMs that support just in time VM access, but have yet to be configured are listed under recommended. As you can see here I have server 01 listed as a recommended virtual machine because I don't have it protected with just in time VM access yet. Now VMs that are missing a network security group or that have had just in time specifically turned off are shown under no recommendation. Now one thing to note here is classic VMs are not supported by just in time so they too will be shown under no recommendation. 

To enable just in time for a particular VM, select a VM from the recommended list and click enable just in time on one VM to configure a just in time policy for that particular VM. So as you can see here we have one server listed under the recommended tab so we'll select server one and enable just in time. Now when just in time is enabled, you're presented with the default port setting that security center recommends. You can either accept these defaults or you can add and configure a new port on which you want to enable the just in time solution. 

In this demo we're going to add a port by selecting the add option from the just in time VM access configuration pane here. After clicking add, we need to specify a port number we wish to configure access for. And we also need to configure the protocol type and the allowed source IP ranges. In addition a maximum request time that the specific port can be opened for is also necessary. So for this demonstration we'll allow port 80 through our just in time. So we select port 80, we'll do any protocol here and in this little section here for allowed source IPs there's two options here, per request or site or block. 

When you select per request here, what this means is the request for just in time access is made from the IP that the client is currently at. So for example if Joe in my office needs port 80 access to this machine, when he goes ahead and requests that just in time access, it's gonna look at his specific IP and use that in the request. However if I wanted to allow access through this configuration to a specific range or a specific subnet or even specific IPs, I would select site or block here. What we're going to do here is we're going to allow the source IPs per request. And then the max request time here is three hours. 

We can change this to one or five or 15 or whatever we wanna set it to. And this max request time essentially is how long is that access opened for that request. We'll go ahead and click okay here and then once we're done with that we'll click save.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.