Wednesday, February 21, 2018

Experimenting with permissions for Azure JIT VM Access

At this point, I've written a couple of posts on Azure JIT VM access. 

Getting Started

 A look at the activity log

The goal of this post is to discuss a little bit about permissions for Azure JIT VM Access.

Usecase:  Here is my example use case.  What I'd like to do is have my VM users make use of Azure JIT to request access to their VMs.  What I want is to give them the least amount of permissions required to execute the action.  So, basically, a server admin who has limited access in Azure, should be able to log in to the portal and request access to a VM.

Ultimately there are two parts that I think need to be factored in here.  The first is how does a user actually get access to the portal experience to request access.  The second part is how are those requests authorized in the system.

Starting with the second part is actually easier.  According to the  documentation, the security center will auto-approve a request access provided that the user has write access to the VM.  I personally don't like this (particularly for my use case) as now my server admin has access to write to the VM definition directly.  But this is what we have to work with in the preview.

The second part is a little bit more complex, and I'm sad to say, that I don't have a good answer here.  The first thing I tried was to use the Get-AzureRmProviderOperation cmdlet to inspect what operations were JIT related.  Here is a snippit of what actions are available.







The first thing I tried was to create a custom role that contained the following:


"Microsoft.Security/locations/read",
"Microsoft.Security/locations/jitNetworkAccessPolicies/read",
"Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",

Unfortunately, when I ran the above configuration, I was unable to even access the JIT screen.This is what I saw.



Interesting.  At this point I figured that it isn't showing me the JIT options because I don't have access to see that security center is in standard mode (and thus that I do have access to JIT).  I tried adding a couple of other actions including:

"Microsoft.Security/securitySolutionsReferenceData/read"

But nothing I did seemed to give me access into the JIT screen.  At this point, I gave up and just created a custom role that had read access to security center.  Not the best solution, but enough for my current needs.  This will probably be something I revisit at some point in the future.

Hopefully this post helps a bit with understanding the permissions required to execute JIT actions in the portal.