Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What exact permission is needed for a user to request JIT ? #40812

Closed
jackchenwork opened this issue Oct 15, 2019 — with docs.microsoft.com · 22 comments
Closed

What exact permission is needed for a user to request JIT ? #40812

jackchenwork opened this issue Oct 15, 2019 — with docs.microsoft.com · 22 comments

Comments

Copy link

@jackchenwork jackchenwork commented Oct 15, 2019 — with docs.microsoft.com

This document only listed two permissions:
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
Microsoft.Compute/virtualMachines/read

We have tried to grant users with a customized role on subscription level:
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
"Microsoft.Network/networkInterfaces/read"

Yet the user still can't request JIT. When he click connect from Azure portal VM UI, it's showing JIT is not enabled on this VM. But JIT is enabled on the VM, and a subscription contributor can see "Request Access" when click Connect.

We even tried to grant the user the customized role and built-in "Virtual Machine Contributor" role, he still doesn't see "Request Access" option from Azure portal.


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@SaurabhSharma-MSFT
Copy link
Contributor

@SaurabhSharma-MSFT SaurabhSharma-MSFT commented Oct 15, 2019

@jackchenquest Thanks for your feedback! We will investigate and update as appropriate.

@jackchenwork
Copy link
Author

@jackchenwork jackchenwork commented Oct 16, 2019

I run a test with a user today, granted her the custom role and she didn't see "Request Access". Then I added her "Reader" role, that did the trick, she was able to request access and got approved, probably because she has "Microsoft.Compute/virtualMachines/*" permission. Still would be better if we know exactly what read permission she need, then we can just add it into customized role.

@memildin
Copy link
Contributor

@memildin memildin commented Oct 17, 2019

@rotemlurie please can you confirm the specific permissions required so that I can update the doc.

Copy link

@azsec azsec commented Dec 25, 2019 — with docs.microsoft.com

There are two types of JIT: VM JIT Request and Azure Security Center. Both can be treated as the same feature however the way it is initiated would be different. If you request JIT from VM, you need Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action and Microsoft.Compute/virtualMachines/read. I gave a bit about risk of using JIT here https://azsec.azurewebsites.net/2019/12/02/be-aware-of-just-in-time-azure-vm/

@rotemlurie
Copy link

@rotemlurie rotemlurie commented Dec 25, 2019

@azsec - thank you for sharing your experience with JIT, note that the reason JIT added "*" rule to the NSG, is because the access was requested for all IPs configured on that VM's JIT policies.
There are two ways to avoid this scenario in the future:

  1. Make sure you configure JIT for a closed set of IPs and CIDRs, and not for all IPs ("*")
  2. Request access on behalf of certain CIDR, rahter than "All configured IPs". This is supported both in Azure Security Center and in Compute.

I'd be happy to elaborate - please reach out at rotem.lurie@microsoft.com.

@azsec
Copy link

@azsec azsec commented Dec 25, 2019

Thank for the information @rotemlurie .I guess adding CIDR is still considered a limitation and can only work when you have a trusted/whitelist of IP range while the term Just-In-Time really means for untrusted/temporary source.

@jackchenwork
Copy link
Author

@jackchenwork jackchenwork commented Jan 2, 2020

@azsec , based on my experience, the two permissions
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action Microsoft.Compute/virtualMachines/read
are not enough for "VM JIT Request".

I had to also grant the user "Reader" role on the subscription level, then he can request JIT from VM. I assume read permission to another resource is needed, just don't know exactly which one.

@MisterCloudTech
Copy link

@MisterCloudTech MisterCloudTech commented Mar 6, 2020

Same experience here.
Have tried to grant these permissions:

  • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
  • Microsoft.Security/locations/jitNetworkAccessPolicies/*/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Network/networkInterfaces/*/read

But no success. Users can't get into the JIT blade in Security Center, nor can they access the VM.
Anyone found the right combination of permissions for enabling JIT VM Access (besides general Reader)

@jackchenwork
Copy link
Author

@jackchenwork jackchenwork commented Mar 6, 2020

I am disappointed with the response from Microsoft support. I already mentioned the two permissions listed in the document is not enough, yet @azsec just repeated what the document said ( did you try it ? ).

This is a simple question and Azure support should be able to find answer easily, we shouldn't need to waste time to try different combinations.

@HolyMoly05
Copy link

@HolyMoly05 HolyMoly05 commented Mar 6, 2020

@jackchenwork
Copy link
Author

@jackchenwork jackchenwork commented Mar 6, 2020

OK Thanks, then I guess this issue only happen in certain environment? I will open a Azure support request then.

@MisterCloudTech
Copy link

@MisterCloudTech MisterCloudTech commented Mar 6, 2020

When the JIT requester logs into the Azure portal, this error appears:
"Failed to retrieve your subscription list, please try again later"

I have tried to add the following permissions one by one:

  • Microsoft.Resources/providers/read
  • Microsoft.Resources/subscriptions/read
  • Microsoft.Resources/subscriptions/resources/read
  • Microsoft.Resources/subscriptions/resourceGroups/read
  • Microsoft.Resources/subscriptions/resourcegroups/resources/read
    Still no luck.
    The user cannot see anything in the JIT branch in Security Center, nor lookup the server.

For now I'm granting the JIT request'ers Reader on the subscription, at least until I have some idea of what additional permissions to look for. Thanks for the inputs :-)

Guess we all have dissected the MS article in details, so this is just for later reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time#permissions-needed-to-configure-and-use-jit

@MisterCloudTech
Copy link

@MisterCloudTech MisterCloudTech commented Mar 6, 2020

Short update:
Reader permissions on subscription seems to be inadequate, and the only combo I so far can get working is assigning the JIT request'ers Global Reader + permissions from the MS article.
(sigh...)

@memildin
Copy link
Contributor

@memildin memildin commented Apr 28, 2020

@MisterCloudTech, I'm sorry this issue is still ongoing for you.
I'm told that Reader and SecurityReader roles can both read policies.
From your replies, it's clear that you're reluctant to grant these roles, can you please explain the issue with using them?

@MisterCloudTech
Copy link

@MisterCloudTech MisterCloudTech commented Apr 28, 2020

Customers with focus on security do not want to assign higher permissions to users, external or internal, then necessary. The Global Reader provide access to information across the whole tenant, and this is WAY more access than appropriate, for instance, if a user just need VM access to a few specialized Azure VMs.
In the particular case, we have a standard hub-and-spoke setup with a central hub and multiple application-specific subscriptions.
Granting a user Reader access to the particular spoke subscription (+ permissions from the MS article) is NOT sufficient to enable the user to enable JiT VM Access.
As mentioned, the only solution I have found to work, is to join the user to Global Readers + being assigned Reader access on the spoke subscription + permissions from the MS article.

Assigning permissions to JiT VM Access should only require a specific PIM Role with limited access to the relevant Azure Subscription or Resource group.
A solution, as described in the MS Docs article is fine, but it just do NOT work, unless the user is ALSO assigned Global Reader permissions, which is not a good solution.

@memildin
Copy link
Contributor

@memildin memildin commented Apr 30, 2020

Thanks for the details.

Our internal testing shows that a custom role with the following 5 permissions can create a JIT access request:

  • Microsoft.Security/locations/jitNetworkAccessPolicies/read
  • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
  • Microsoft.Security/policies/read
  • Microsoft.Compute/virtualMachines/read
  • Microsoft.Network/*/read

No need for any further roles, permissions, or assignments. If this doesn't work for you, or doesn't meet your use case, please contact our support team.

@memildin
Copy link
Contributor

@memildin memildin commented Apr 30, 2020

#please-close

@ghost
Copy link

@ghost ghost commented Sep 29, 2020

I am also looking for a custom JIT admin RBAC role so I am assuming I could use the above with a few small modifications where I change read to write and that should work.

@memildin
Copy link
Contributor

@memildin memildin commented Oct 6, 2020

An update for anyone still referencing this page: take a look at the JIT documentation that was written since this Github issue was created: What permissions are needed to configure and use JIT?.

Especially relevant is the Set-JitLeastPrivilegedRole script from the Security Center GitHub community pages.

@tute26
Copy link

@tute26 tute26 commented Jun 22, 2021

Hello everybody! so... I don't know if I am doing something wrong but I still face issues when I try to request JIT
I created a new subscription and a new domain to start with a clean slate
I created a new RG and a simple Linux VM and enabled JIT
Then I added a new user with reader role over the subscription
Also I used the Set-JitLeastPrivilegedRole script to create the custom role
In the VM page I go to access control and assigned the JIT Custom Role to the Test User, but when I request JIT I still get the "request failed" message
So I guessed that this JIT Custom Role needs to be applied to some other resource, so I went one by one over the resources in the RG (VM, NIC, NSG, VNET and PublicIP) and added the JIT Custom Role, but after I added the role to every resource, I tested and the request failed every time
Then I went to the RG access control and added there the JIT Custom Role, and then I could successfully create a JIT request
So my problem is that I don't want to grant that permission at RG level, I need to enable this JIT access at VM level, and there is some kind of permission that I'm missing that doesn't allow me do it that way

@PVJAZ
Copy link

@PVJAZ PVJAZ commented Aug 18, 2021

Readonly permissions didn't work at the subscription level so ended up making JIT requestor user a Contributor at the subscription level to make it work. Just did this for testing purpose.

@Nimmagaddaprasad
Copy link

@Nimmagaddaprasad Nimmagaddaprasad commented Oct 7, 2021

could you please help me below query.

if user is not having access to Azure portal and server is part of domain. user want to access server from domain and how the access request will be done on this scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests