Exam AZ-800 topic 4 question 7 discussion

JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed C is correct

both A (NSG) and C (Defender for Cloud) could be considered correct, depending on the perspective taken to address the requirements. Why both could be correct: A. Network Security Group (NSG): The NSG is a direct solution for limiting access from specific IP addresses and restricting access to a specific management port. However, it cannot independently require administrators to request access (the first requirement). In this case, it lacks the "Just-In-Time Access" functionality. C. Microsoft Defender for Cloud: Defender for Cloud, with its Just-In-Time (JIT) VM Access feature, fulfills the requirement of requiring administrators to request access before connecting. However, Defender for Cloud also relies on NSGs to limit traffic from specific IP addresses and to specific ports. Therefore, it indirectly covers the other two requirements.

Microsoft Defender for Cloud (formerly known as Azure Security Center) indeed provides a comprehensive solution that can meet all three requirements: Just-In-Time (JIT) VM Access: This feature allows you to require administrators to request access before establishing a Remote Desktop connection, enhancing security by reducing the attack surface. Network Security Group (NSG) Management: Defender for Cloud can help you manage NSGs to limit access to specific source IP addresses and ports, ensuring that only authorized traffic can reach your VM. So, the correct choice is: C. Microsoft Defender for Cloud This option effectively combines JIT access with NSG management to provide a robust security solution for your VM.

C. Microsoft Defender for Cloud This choice effectively meets all three requirements by allowing you to implement JIT access (requiring requests for RDP connections), manage IP restrictions through NSGs, and limit management port access securely.

Microsoft Defender for Cloud’s Just-in-Time (JIT) VM access feature1 indeed meets all the requirements listed: It requires administrators to request access to VM1 before establishing a Remote Desktop connection. It allows you to limit access to VM1 from specific source IP addresses. It enables you to limit access to VM1 to a specific management port. So, the correct answer should be: C. Microsoft Defender for Cloud https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage

A&C? Not a double? Strange... None of them, alone, help us to achieve the goal. If forced to choose one opion only, I'd say C, but port? IP?

To meet the specified requirements, you should configure a network security group (NSG). NSGs allow you to filter network traffic to and from Azure resources, including virtual machines (VMs). You can define rules within the NSG to control inbound and outbound traffic based on source and destination IP addresses, as well as specific ports. Option A. a network security group (NSG) is the correct choice as it allows you to:

C is correct. Jit

https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

Given answer is correct

Its C - look at the link Just in time access request is for Defender for the cloud - https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc

I would say B