Introduction

Azure Just-In-Time (JIT) VM Access temporarily opens management ports (RDP, SSH) on VMs for authorized requests, reducing attack surface. When JIT doesn't work, users can't access VMs, or ports remain closed despite approved requests.

Symptoms

JIT request fails:

```bash $ az security jit-policy list --resource-group my-rg

# Empty or missing JIT policies ```

Port not opening:

```bash # After JIT request approval: $ ssh user@vm-ip

ssh: connect to host vm-ip port 22: Connection refused # Port still blocked ```

Defender for Cloud not enabled:

```bash $ az security pricing show --name VirtualMachines

"PricingTier": "Free" # Must be Standard for JIT ```

Common Causes

  1. 1.Defender for Cloud not enabled - JIT requires Standard tier
  2. 2.JIT policy not configured - No JIT policy for VM
  3. 3.NSG rules conflict - Existing rules block JIT changes
  4. 4.Request timeout expired - Approved time window passed
  5. 5.VM not supported - Classic VMs or certain configurations
  6. 6.Permission issues - User lacks JIT request permissions
  7. 7.Network configuration - VNet or subnet blocking access

Step-by-Step Fix

  1. 1.Check logs for specific error messages
  2. 2.Verify configuration settings
  3. 3.Test network connectivity
  4. 4.Review recent changes
  5. 5.Apply corrective action
  6. 6.Verify the fix

Step 1: Enable Microsoft Defender for Cloud

```bash # Check current pricing tier az security pricing show --name VirtualMachines --query 'pricingTier'

# Enable Standard tier for JIT support az security pricing create --name VirtualMachines --tier Standard

# Enable for servers az security pricing create --name AppServices --tier Standard ```

Step 2: Check JIT Policy Status

```bash # List all JIT policies az security jit-policy list --query '[].{Name:name,VM:virtualMachines[0].id}'

# Get specific JIT policy az security jit-policy show \ --resource-group my-rg \ --name my-jit-policy \ --query '{Kind:kind,VMs:virtualMachines}' ```

Step 3: Configure JIT Policy for VM

```bash # Create JIT policy for VM az security jit-policy create \ --resource-group my-rg \ --name my-jit-policy \ --location eastus \ --vm /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm \ --port 22 \ --protocol Tcp \ --allowed-source-addresses "*" \ --max-request-duration 3

# Add multiple ports az security jit-policy create \ --resource-group my-rg \ --name my-jit-policy \ --location eastus \ --vm /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm \ --ports '[{"number":22,"protocol":"Tcp","allowedSourceAddresses":["*"],"maxRequestDuration":"PT3H"},{"number":3389,"protocol":"Tcp","allowedSourceAddresses":["*"],"maxRequestDuration":"PT3H"}]' ```

Step 4: Request JIT Access

```bash # Request JIT access via Azure Portal: # Microsoft Defender for Cloud > Just-in-time VM access > My VM > Request access

# Or via CLI: az security jit-policy request \ --resource-group my-rg \ --name my-jit-policy \ --vm my-vm \ --port 22 \ --duration 3

# Check request status az security jit-policy list --query '[].virtualMachines[0].ports[0].status' ```

Step 5: Verify NSG Rules Created

bash # After JIT approval, check NSG az network nsg show \ --name my-nsg \ --resource-group my-rg \ --query 'securityRules[?contains(name, JIT`)]'

# JIT creates temporary rules: # - Source: Your IP address # - Destination: VM # - Port: Requested port # - Expires after duration ```

Step 6: Check Existing NSG Rules

bash # Conflicting rules can prevent JIT az network nsg show \ --name my-nsg \ --resource-group my-rg \ --query 'securityRules[?direction==Inbound && access==Deny`]'

# Remove deny rules that conflict with JIT ports az network nsg rule delete \ --nsg-name my-nsg \ --resource-group my-rg \ --name DenyRDP ```

Step 7: Verify Permissions

```bash # User needs JIT permissions az role assignment list \ --assignee user@example.com \ --query "[?contains(roleDefinitionName, 'Security')].roleDefinitionName"

# Required roles: # - Security Admin: Can configure JIT # - Owner/Contributor: Can request JIT access # - Reader: Can view JIT policies

# Assign Security Admin az role assignment create \ --assignee user@example.com \ --role "Security Admin" \ --scope /subscriptions/SUB ```

Step 8: Check VM Requirements

```bash # VM must meet requirements: az vm show \ --name my-vm \ --resource-group my-rg \ --query '{OSType:storageProfile.osDisk.osType,NSG:networkProfile.networkInterfaces[0].id}'

# Requirements: # - Must have NSG attached # - Must be Azure Resource Manager VM (not Classic) # - Must have public IP or be accessible via JIT ```

Step 9: Test JIT Access

```bash # After JIT approval, test connectivity # Get your public IP first MY_IP=$(curl -s ifconfig.me)

# Wait for NSG rule to propagate (up to 1 minute) sleep 60

# Test SSH ssh -v user@vm-public-ip

# Test RDP (Windows) Test-NetConnection -ComputerName vm-public-ip -Port 3389 ```

Step 10: Monitor JIT Activity

```bash # Check JIT activity logs az monitor activity-log list \ --resource-group my-rg \ --caller "Microsoft.Security" \ --query "[?contains(operationName.value, 'JIT')].{Time:eventTimestamp,Operation:operationName,Status:status.value}"

# Set up alert for JIT requests az monitor activity-log alert create \ --name jit-access-alert \ --resource-group my-rg \ --condition category='Administrative' and operationName='Microsoft.Security/jitNetworkAccessPolicies/write' ```

JIT Access Workflow

  1. 1.Enable Defender for Cloud Standard
  2. 2.Configure JIT policy on VM
  3. 3.User requests access (specifies IP, port, duration)
  4. 4.Request approved (auto or manual)
  5. 5.NSG rule created temporarily
  6. 6.User connects to VM
  7. 7.Rule removed after duration expires

Verification

```bash # After enabling Defender and configuring JIT # Request access az security jit-policy request \ --resource-group my-rg \ --name my-jit-policy \ --vm my-vm \ --port 22 \ --duration 1

# Check NSG rule exists az network nsg show \ --name my-nsg \ --resource-group my-rg \ --query 'securityRules[?contains(name, JIT)].{Name:name,Port:destinationPortRange}'

# Should show JIT rule with port 22

# Test connection ssh user@vm-public-ip # Should connect successfully ```

Prevention

To prevent Azure Just-In-Time VM access issues from recurring, implement these proactive measures:

1. Monitor JIT Access Requests

yaml
groups:
- name: azure-jit
  rules:
  - alert: AzureJITAccessFailed
    expr: |
      rate(azure_jit_access_failures_total[5m]) > 0
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Azure JIT VM access requests failing"

2. Configure JIT Policies Proactively

```bash # Set up JIT policies for all VMs az security jit-policy create \ --kind Basic \ --location eastus \ --name my-vm-jit \ --resource-group my-rg \ --vm /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm \ --port 22 \ --protocol tcp \ --max-request-duration PT3H \ --allowed-source-addresses 10.0.0.0/24

# Apply to all VMs in subscription for vm in $(az vm list --query '[].id' -o tsv); do az security jit-policy create --vm $vm --port 22 --protocol tcp done ```

3. Document JIT Request Process

```bash # Create JIT request documentation cat << 'EOF' > jit_request_guide.md # JIT Access Request Process

  1. 1.Request access via Azure Security Center
  2. 2.Specify: VM name, port, duration, source IP
  3. 3.Wait for approval (if configured)
  4. 4.Connect within approved time window
  5. 5.NSG rules auto-removed after expiry
  6. 6.EOF
  7. 7.`

Best Practices Checklist

  • [ ] Monitor JIT access requests
  • [ ] Configure JIT policies proactively
  • [ ] Document JIT request process
  • [ ] Train team on JIT usage
  • [ ] Review JIT logs weekly
  • [ ] Set appropriate request durations
  • [Fix Azure VM Not Starting](/articles/fix-azure-vm-not-starting)
  • [Fix Azure Security Group Blocking Traffic](/articles/fix-aws-security-group-blocking)
  • [Fix Azure Bastion Connection Timeout](/articles/fix-azure-bastion-connection-timeout)
  • [Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
  • [Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
  • [Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
  • [Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
  • [Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix Azure Just-In-Time VM Access Not Working", "description": "Troubleshoot Azure Just-In-Time VM access issues. Enable Defender for Cloud, configure NSG rules, and fix JIT policies.", "url": "https://www.fixwikihub.com/fix-azure-just-in-time-access-not-working", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-03T01:39:54.452Z", "dateModified": "2026-04-03T01:39:54.452Z" } </script>