Exam AZ-720 topic 5 question 50 discussion

1.Grant Admin1 Contributor access to RG1: Admin1 needs the Contributor role in order to create and associate a network security group (NSG). The Microsoft.Security/locations/jitNetworkAccessPolicies/write permission is not enough for these actions. 2.Create NSG in RG1: A network security group needs to be created to control inbound and outbound traffic to resources such as VMs. This is a requirement for JIT VM Access. 3.Associate NSG to the VM NIC: The NSG that was created needs to be associated with the network interface of the VM for which JIT VM access is needed. The JIT VM access feature of Azure Security Center leverages NSGs to lock down inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. Thus, without an NSG, JIT VM access won't work. This is why, when viewing the JIT VM access pane, VM1 appears on the Unsupported tab - because there is no NSG associated with it. By following these steps, you should be able to resolve this issue.

Correct. 1. Grant admin1 Contributor access to RG1. 2. Create NSG in RG1 3. Associate NSG to the VM NIC So, if the JIT shows the VM as unsupported, this means that there is either a need of an NSG or AZFW for JIT to work. In our case here, there is no NSG and the easiest and less privileged way to fix is to create one and associate it to the NIC. https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#work-with-jit-vm-access-using-microsoft-defender-for-cloud Unsupported - VMs that don't support JIT because: Missing network security group (NSG) or Azure Firewall - JIT requires an NSG to be configured or a Firewall configuration (or both)