Just-in-time VM access is the Microsoft Defender for Cloud control that locks down VM management ports and opens approved inbound access only for a limited time. Teams use it to reduce exposure of RDP, SSH, and other management ports while still allowing authorized operators to request temporary access. You see it around defender for cloud jit page, and virtual machines. It is not the same as Azure Bastion, and permanent NSG allow rule. Misunderstanding it can cause open management ports, and blocked emergency access.
JIT VM access, Defender for Cloud JIT, just in time access, JIT network access policy
Difficulty
intermediate
CLI mappings
5
Last verified
2026-05-15
Microsoft Learn
Just-in-time VM access is the Microsoft Defender for Cloud control that locks down VM management ports and opens approved inbound access only for a limited time.
Technically, Just-in-time VM access sits around defender for cloud jit page, virtual machines, network security group rules, and allowed source ips. Important settings include protected ports, allowed source addresses, maximum request duration, vm scope, and network security group. Operators verify it with jit policy state, temporary nsg rule, access request record, activity log entry, and vm connection attempt. In production reviews, connect the term to resource scope, identity, network path, diagnostics, cost ownership, and rollback. Confirm subscription, resource group, service tier, dependent workload, and current Azure evidence before changing it.
Why it matters
Just-in-time VM access matters because it turns an architecture choice into day-to-day workload behavior. If the team misunderstands it, the failure usually appears as open management ports, blocked emergency access, and stale source ip ranges before anyone notices the documentation gap. The term also affects how people search runbooks, assign tickets, approve deployments, and decide which Azure signal proves the system is healthy. For this glossary, the practical value is helping readers move from a label to a concrete decision about protected ports, allowed source addresses, and maximum request duration. Good definitions reduce handoff friction between architects, platform engineers, security reviewers, support teams, and finance owners during real production work.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
In the Azure portal, Just-in-time VM access appears near defender for cloud jit page, and virtual machines, where owners review health, access, and workload impact before production changes.
Signal 02
In CLI or REST output, Just-in-time VM access shows through jit policy state, and temporary nsg rule, giving operators proof during audits, release gates, incident triage, and owner handoffs.
Signal 03
In incident reviews, Just-in-time VM access comes up when teams investigate open management ports, and blocked emergency access, then compare logs, metrics, ownership, dependencies, recent changes, and deployment evidence.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Design and review Just-in-time VM access as part of a production Azure workload.
Troubleshoot incidents where Just-in-time VM access affects user-visible behavior or operator evidence.
Document ownership, rollback, monitoring, and cost impact for Just-in-time VM access during governance reviews.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
JIT VM access for finance administration
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
Fabrikam Finance, a financial services organization, needed to remove permanently open RDP ports on administration VMs without blocking approved maintenance. The team had to improve the design without disrupting existing users or weakening governance.
🎯Business/Technical Objectives
Close permanent RDP and SSH exposure
Allow approved administrators temporary access
Create evidence for privileged access reviews
Reduce security findings from open management ports
✅Solution Using Just-in-time VM access
The architecture team used Just-in-time VM access as the primary control point for the change. They designed Defender for Cloud JIT policies for Windows and Linux administration servers and connected it with Network Security Groups, Azure Bastion, activity logs, and security recommendations. Engineers configured protected ports, allowed source IP ranges, maximum access windows, owner tags, and alert rules and captured baseline telemetry before rollout. Security reviewers checked management port exposure, access logs, administrator roles, and emergency access procedures while operators documented alerts, escalation steps, rollback commands, and expected output. A limited pilot proved the behavior under realistic load, then the team expanded the pattern using tags, diagnostic settings, owner signoff, and post-release health checks.
📈Results & Business Impact
Persistent management-port findings dropped to zero
Temporary access windows were limited to approved durations
Quarterly access review evidence was generated from logs
Just-in-time VM access is valuable when it connects a glossary concept to a measurable production decision, not just a name in Azure.
Case study 02
JIT VM access for plant support
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
Contoso Packaging, a manufacturing organization, needed to support plant-floor VMs across sites without leaving broad source IP ranges open. The team had to improve the design without disrupting existing users or weakening governance.
🎯Business/Technical Objectives
Reduce open inbound rules on plant VMs
Support contractors during scheduled maintenance windows
Provide support managers a clear access trail
Avoid delaying urgent production fixes
✅Solution Using Just-in-time VM access
The architecture team used Just-in-time VM access as the primary control point for the change. They designed site-specific JIT access rules for maintenance VMs and contractor support sessions and connected it with Defender for Cloud, NSGs, Azure Monitor, and the service desk approval process. Engineers configured source IP restrictions, custom access durations, policy scope per resource group, and activity-log alerts and captured baseline telemetry before rollout. Security reviewers checked contractor access, rule cleanup, least privilege, and separation between plant networks while operators documented alerts, escalation steps, rollback commands, and expected output. A limited pilot proved the behavior under realistic load, then the team expanded the pattern using tags, diagnostic settings, owner signoff, and post-release health checks.
📈Results & Business Impact
Broad inbound allow rules were removed from 64 VMs
Contractor sessions matched approved maintenance windows
Support managers received searchable access evidence
Urgent fix connection time stayed under the target
💡Key Takeaway for Glossary Readers
Just-in-time VM access is valuable when it connects a glossary concept to a measurable production decision, not just a name in Azure.
Case study 03
JIT VM access for legacy server hardening
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
State Records Agency, a public sector organization, needed to harden legacy application servers while preserving emergency access for records operations. The team had to improve the design without disrupting existing users or weakening governance.
🎯Business/Technical Objectives
Reduce audit exceptions for exposed management ports
Keep emergency access available for critical records systems
Detect manual NSG rule drift quickly
Give auditors repeatable evidence
✅Solution Using Just-in-time VM access
The architecture team used Just-in-time VM access as the primary control point for the change. They designed JIT policies combined with break-glass runbooks and periodic NSG drift checks and connected it with Defender for Cloud, Azure Policy, activity logs, and incident management workflows. Engineers configured JIT port policies, maximum access duration, allowed operator ranges, alert routing, and weekly reports and captured baseline telemetry before rollout. Security reviewers checked public IP exposure, administrator approval, logging retention, and exception documentation while operators documented alerts, escalation steps, rollback commands, and expected output. A limited pilot proved the behavior under realistic load, then the team expanded the pattern using tags, diagnostic settings, owner signoff, and post-release health checks.
📈Results & Business Impact
Audit exceptions fell from 31 to four in one cycle
Emergency access remained available through approved requests
Manual NSG drift was detected within one business day
Auditor evidence collection dropped by 50 percent
💡Key Takeaway for Glossary Readers
Just-in-time VM access is valuable when it connects a glossary concept to a measurable production decision, not just a name in Azure.
Why use Azure CLI for this?
Use CLI commands for Just-in-time VM access to inspect live Azure state first, compare it with the approved design, and run mutating steps only with rollback and owner approval.
CLI use cases
Confirm the live Azure resource or configuration related to Just-in-time VM access before approving a production change.
Capture read-only evidence for Just-in-time VM access during incident response, audit review, or release validation.
Compare CLI output with infrastructure-as-code, portal settings, and runbook expectations for Just-in-time VM access.
Validate graph-connected dependencies for Just-in-time VM access before changing production scope.
Before you run CLI
Confirm tenant, subscription, resource group, service name, and environment before trusting command output.
Run list or show commands first, then save evidence before any create, update, delete, restore, or deploy action.
Check whether the command exposes secrets, customer data, training examples, file paths, keys, or private endpoints.
Have an approved rollback path and owner contact ready before changing production configuration.
What output tells you
Whether the expected Azure resource exists and whether Just-in-time VM access is configured at the intended scope.
Which names, IDs, locations, states, tiers, policies, identities, and dependent resources are active right now.
Whether live Azure state differs from the design document, deployment template, release ticket, or support runbook.
Which metric, log query, portal page, or application test should be checked before closing the issue.
Mapped Azure CLI commands
Just-in-time VM access operational checks
direct
az security jit-policy list --resource-group <resource-group>
az security jit-policydiscoverSecurity
az security jit-policy show --name <policy-name> --resource-group <resource-group> --location <location>
az security jit-policydiscoverSecurity
az network nsg rule list --nsg-name <nsg-name> --resource-group <resource-group>
az network nsg rulediscoverSecurity
az vm show --name <vm-name> --resource-group <resource-group>
az vmdiscoverCompute
az monitor activity-log list --resource-group <resource-group> --query "[?contains(operationName.value,'jit')]"
az monitor activity-logdiscoverSecurity
Architecture context
Technically, Just-in-time VM access sits around defender for cloud jit page, virtual machines, network security group rules, and allowed source ips. Important settings include protected ports, allowed source addresses, maximum request duration, vm scope, and network security group. Operators verify it with jit policy state, temporary nsg rule, access request record, activity log entry, and vm connection attempt. In production reviews, connect the term to resource scope, identity, network path, diagnostics, cost ownership, and rollback. Confirm subscription, resource group, service tier, dependent workload, and current Azure evidence before changing it.
Security
Security for Just-in-time VM access starts with management port exposure, allowed source ips, defender policy, activity logs, and privileged access approval. Review who can read, create, update, delete, restore, deploy, or invoke the related resource, and verify that privileged changes create audit evidence. Prefer Microsoft Entra ID, managed identities, private endpoints, key rotation, customer-managed keys, and policy controls where the service supports them. Keep secrets, credentials, personal data, and regulated content out of scripts and examples unless the data-handling design explicitly allows it. During approval, check tenant boundaries, network exposure, diagnostic logs, and break-glass procedures so a configuration mistake does not become an incident.
Cost
Cost for Just-in-time VM access is driven by defender plan coverage, administrative effort, reduced incident exposure, bastion comparison, and support time during access issues. The common mistake is treating the term as free because it is a setting, schema choice, job, or child resource instead of a cost influence. Check whether charges come from storage, requests, tokens, replicas, retention, backups, training, data transfer, diagnostics, or engineer time spent recovering from bad configuration. Use tags, budgets, Azure Cost Management, and owner reviews to connect usage to a workload. When reducing cost, confirm the change will not remove recovery evidence, security controls, or needed performance headroom.
Reliability
Reliability for Just-in-time VM access depends on emergency access path, request duration, nsg rule cleanup, vm reachability, and support escalation process. A resource can exist and still fail the business workflow when permissions, network paths, limits, schema settings, or downstream services are wrong. Define the health signal before production use, then test the expected failure mode with a controlled change. Monitor platform metrics, application traces, deployment history, and user symptoms in the same time window during incidents. Recovery plans should include owner contact, safe rollback, validation queries, and customer-impact checks, not just proof that the Azure resource exists. Test the expected failure path before the workload depends on it.
Performance
Performance for Just-in-time VM access depends on access request latency, nsg propagation, troubleshooting time, connection setup, and operator response time. Measure the real workload instead of assuming the default configuration is enough. Look at latency, throughput, concurrency, request size, metadata operations, query complexity, token counts, or recovery duration depending on the service. Compare production metrics with load tests and with the limits of the selected tier or model. Tuning should be incremental and reversible, because a change that improves one path can hurt another. Always verify user-facing behavior after configuration, schema, deployment, or data-layout changes. Capture before-and-after metrics for every tuning change.
Operations
Operations for Just-in-time VM access require jit policy reviews, access request monitoring, nsg drift checks, incident runbooks, and administrator training. Treat the term as something support teams must inspect quickly, not only as a design-time concept. Keep a runbook with portal locations, CLI commands, expected output, known dependencies, approval rules, and rollback steps. Review it during releases, migrations, incidents, access changes, and cost investigations. Good operations practice also means tagging owners, enabling diagnostics, storing evidence from read-only checks, and documenting exceptions. When the term changes, update handoff notes so future operators know what normal looks like. Store the evidence where the next operator can find it.
Common mistakes
Treating Just-in-time VM access as a harmless label instead of checking the live resource, scope, owner, and dependencies.
Running a mutating command in the wrong subscription, resource group, account, service, index, share, or deployment.
Assuming a successful deployment proves the feature works without checking logs, metrics, access, and rollback evidence.
Ignoring cost, retention, quotas, network exposure, or data classification until an incident forces emergency cleanup.