Azure Virtual Machine (VM) with Just-in-Time access.
You'll need to enable Microsoft Defender for Servers for the Subscription.
Make sure you enable Cloud Workload Protection (CWP) for Servers. After that, install the agents using the Portal just for completeness.
Start by creating the sandbox infrastructure:
terraform init
terraform apply -auto-approveThe execution will fail with the following error:
'LinuxJITPolicy' is not onboarded to Defender For Servers offering.
Add the server to Defender and apply again to finish the setup.
If everything goes right, the JIT policy will automatically be created to the VM by the Terraform AzApi provider.
Permissions required are:
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/actionMicrosoft.Compute/virtualMachines/read
To be able to login with Entra ID credentials, users must have one of:
Virtual Machine Administrator LoginVirtual Machine User Login
Defender should have created the following Deny rule:
Now request your JIT access.
Defender should create the following Allow rule:
It is possible to extend VM management capabilities using the VMAccess extension.
To install the extension using Terraform:
# VMAccess
install_vmaccess_extension = trueTo check for deployed extensions and the installation status:
az vm extension list \
--resource-group <resource-group> \
--vm-name <vm-name> -o tableDon't forget to disable Microsoft Defender if you're only testing.
Destroy the infrastructure:
terraform destroy -auto-approve