ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-500 All Questions

View all questions & answers for the AZ-500 exam
Go to Exam

Exam AZ-500 topic 4 question 74 discussion

Actual exam question from Microsoft's AZ-500
Question #: 74
Topic #: 4
[All AZ-500 Questions]

HOTSPOT -
You are configuring just in time (JIT) VM access to a Windows Server 2019 Azure virtual machine.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
by Joillane at June 30, 2021, 6:02 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
jpons
Highly Voted 3 years, 12 months ago
Port is ok, but access is Read https://docs.microsoft.com/en-us/azure/security-center/just-in-time-explained#what-permissions-are-needed-to-configure-and-use-jit
upvoted 33 times
ITFranz
5 months, 1 week ago
To support the answer: To grant users PowerShell access to a virtual machine using Just-in-Time (JIT) VM access, the following permission is required: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action This permission needs to be assigned to the user at the scope of the subscription or resource group associated with the VM. Additionally, the user will need the following read permissions: 1. Microsoft.Security/locations/jitNetworkAccessPolicies/*/read 2. Microsoft.Compute/virtualMachines/read 3. Microsoft.Network/networkInterfaces/*/read These permissions allow the user to request JIT access to the VM and view the necessary information to establish a PowerShell connection[2]. Answer = read
upvoted 2 times
...
93b98ea
11 months, 2 weeks ago
agreed it is read. "Request JIT access to a VM" is under read section.
upvoted 1 times
asodataone
7 months ago
Permission that must be granted to users on the VM: Answer: Update The Update permission is required because users need to make changes to the VM's network security group (NSG) rules for JIT to temporarily allow inbound access to specific ports. TCP Port that must be allowed: Answer: 5986 Port 5986 is the default TCP port for PowerShell remoting over HTTPS, which is required for secure PowerShell access. Explanation: Permissions on VM: Update permission is needed to configure and approve JIT access requests, as JIT modifies NSG rules to open ports temporarily. TCP Ports: Port 5986 is used for secure PowerShell remoting over HTTPS. Other ports like 22 (SSH), 25 (SMTP), and 3389 (RDP) are irrelevant for PowerShell remoting. Final Configuration: Permission: Update TCP Port: 5986
upvoted 1 times
...
...
ITFranz
1 year, 6 months ago
The port number. By default a PowerShell agent uses port 5985 for a regular connection and 5986 for a secure connection. If you are using a different port for PowerShell in your environment, enter the required port number.
upvoted 1 times
...
...
Joillane
Highly Voted 3 years, 12 months ago
First one should be Read
upvoted 9 times
...
Drummer
Most Recent 1 year ago
Please note that the Write permission is necessary for users to make changes on the VM, and port 5986 is the default port for PowerShell remoting over HTTPS. The “Read” permission allows users to view the properties of a VM, but it doesn’t allow them to make changes. For Just-In-Time (JIT) VM access, users need to be able to request access, which involves making changes to the VM’s network security group rules. This requires the “Write” permission. Therefore, while “Read” permission is useful for viewing VM properties, it’s not sufficient for configuring JIT VM access. The “Write” permission is necessary for this task. Permission that must be granted to users on VM: Write TCP port that must be allowed: 5986
upvoted 3 times
...
[Removed]
1 year, 6 months ago
Request JIT access to a VM Assign these actions to the user: Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action Microsoft.Security/locations/jitNetworkAccessPolicies/*/read Microsoft.Compute/virtualMachines/read Microsoft.Network/networkInterfaces/*/read Microsoft.Network/publicIPAddresses/read https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
upvoted 2 times
...
AzureAdventure
1 year, 9 months ago
Port 5986 : Windows Remote Management service (WinRM) over HTTPS Por 3389 : Remote Desktop Protocol (RDP) Port 22 : Secure Shell (SSH) Port 25 : Simple Mail Transfer Protocol (SMTP)
upvoted 6 times
...
kuskumar
1 year, 12 months ago
Port is 22 and Read access https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#request-access-to-a-jit-enabled-vm-using-powershell
upvoted 1 times
...
zellck
2 years, 1 month ago
1. Read 2. 5986 https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks#what-permissions-are-needed-to-configure-and-use-jit https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage#enable-jit-on-your-vms-from-microsoft-defender-for-cloud The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting: - 5986 - WinRM
upvoted 8 times
xRiot007
10 months ago
It also recommends protecting 22, 3389, 5985. Your response might be outdated.
upvoted 1 times
...
...
majstor86
2 years, 3 months ago
READ 5986
upvoted 2 times
...
tutonata
2 years, 3 months ago
Request JIT to a VM requires READ access on VM, not write as per docs that jpons pointed at. Port for WinRM over HTTPs is 5986 (5985 would be for plain unencrypted HTTP So: READ 5986
upvoted 1 times
...
mung
2 years, 6 months ago
question is asking what permission is required for powershell access not for the JIT. So the answer should be write not read.
upvoted 2 times
kabooze
2 years, 6 months ago
I think it's "read" just on the basis that it's about requesting JIT access. I believe the wording "access on the machine" is just badly written and should be "access to the machine"
upvoted 1 times
...
...
Anonymousse
2 years, 7 months ago
Everyone keeps posting that Read is the permission to request JIT access. And that is true, but that isn't the question is it? Isn't the question asking what permission is needed to run powershell once the connection is made?
upvoted 1 times
kabooze
2 years, 6 months ago
Look at that phrase, it's badly written. In English it would be "on the VM" not "on VM". So I think the just badly copied it and it actually should say "access to the VM". In which case it's "read".
upvoted 1 times
...
...
Eltooth
3 years, 3 months ago
Read, 5986
upvoted 3 times
...
hanyahmed
3 years, 5 months ago
Read , 5986
upvoted 1 times
...
DarkCyberGhost
3 years, 5 months ago
You need to grant users PowerShell access to the virtual machine by using JIT VM access. this isnt using powershell to grant the access but being able to use powershell through winRM hence the port is correct and write is correct as they would need to be able to run commands etc once access has been established.
upvoted 6 times
...
robdog24
3 years, 5 months ago
Read permission is to request JIT access, however, for the host to allow connection - doesn't she need write?
upvoted 3 times
...
digitalcoder
3 years, 7 months ago
READ/5986 (WinRM) not RDP Port\
upvoted 3 times
cfsxtuv33
3 years, 6 months ago
Absolutely agree...Box1: READ and Box2: 5986 (WinRM 2.0 (Microsoft Windows Remote Management).
upvoted 1 times
...
...
Jco
3 years, 8 months ago
#exam ques # 29 Sep
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel