In many customer’s Azure environments you might find virtual machines that act as RDP jump hosts for external access to Azure VNets, wether for contractors support access or because of inexperience. Whatever the reason is – it is unsecure in many ways.
Just-in-Time Access enables customers to lock down their Azure VMs in order to reduce attack surface and exposure while keeping the ability to remotely access VMs when needed. JIT is available in the Standard tier of Azure Security Center and only supports VMs that have been deployed through Azure Resource Manager. Technically seen, JIT adds some inbound deny rules to a VM`s NSG so access to the configured ports is blocked. When access is requested a new allow rule with a lower priority is added to the NSG so access is granted for a given time and a given source IP (or pre-defined IP range).