Just-in-Time VM Access: Reasons for "Not Applicable"

Reasons for "Not Applicable" in Just-in-Time VM Access

Q: When reviewing Just-in-Time VM access you noticed that some VMs are appearing under “Not Applicable”What are the reasons that must be present in order for a VM to be considered not applicable? (select all that apply)

The VM is not assigned to a network security groupThe VM is not protected by a Firewall

Prev Question Next Question

Question

When reviewing Just-in-Time VM access you noticed that some VMs are appearing under “Not Applicable”

What are the reasons that must be present in order for a VM to be considered not applicable? (select all that apply)

Answers

A. The VM is not assigned to a network security group

B. The VM is not protected by a Firewall

C. The VM has JIT already enabled

D. VM has been deployed through ARM (Azure Resource Manager)

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answers: A and B.

Option A &amp; B is correct.

JIT is not supported on VMs where: It is missing network security group (NSG) or Azure Firewall.

Deployed as classic VM - JIT only supports VMs deployed through ARM, not 'classic deployment'

Hence, Option D is incorrect.

Other - Your VM might be in this tab if the JIT solution is disabled in the security policy of the subscription or the resource group.

Option C is incorrect.

JIT is already enabled.

Reference:

Just-in-Time (JIT) VM access is a feature in Azure Security Center that enables you to control access to Azure VMs. When JIT is enabled for a VM, access to that VM is restricted by default. JIT allows users to request access to a VM for a limited time period. Once the request is approved, the user will have access to the VM for the specified duration, after which access will be automatically revoked.

When reviewing Just-in-Time VM access, if you notice that some VMs are appearing under "Not Applicable", it means that JIT cannot be enabled for those VMs. There are several reasons why a VM might be considered "Not Applicable". The possible reasons are as follows:

A. The VM is not assigned to a network security group: JIT requires that the VM be associated with a network security group (NSG) for it to work. If the VM is not assigned to an NSG, JIT cannot be enabled for that VM.

B. The VM is not protected by a Firewall: JIT also requires that the VM be protected by a firewall in order to work. If the VM is not protected by a firewall, JIT cannot be enabled for that VM.

C. The VM has JIT already enabled: If JIT is already enabled for the VM, it will not appear under the "Not Applicable" category.

D. VM has been deployed through ARM (Azure Resource Manager): If the VM has been deployed through Azure Resource Manager (ARM), JIT cannot be enabled for that VM. This is because ARM deployment models do not support JIT.

In summary, to be considered "Not Applicable" for JIT, a VM must not be assigned to an NSG, not be protected by a firewall, have JIT already enabled, or be deployed through ARM.

Prev Question Next Question