You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019.
You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:
• Limit the maximum request time to two hours.
• Limit protocols access to Remote Desktop Protocol (RDP) only.
• Minimize administrative effort.
What should you use?
To configure just-in-time (JIT) access for the virtual machines in a resource group, limiting access to specific protocols like RDP and setting the maximum request time, Azure Policy is the appropriate tool. Azure AD Privileged Identity Management (PIM) is used for managing role assignments and does not control network access. Azure Bastion provides secure and seamless RDP and SSH access to VMs but does not support setting a time limit for access requests. Azure Front Door is unrelated as it is used for load balancing and web traffic routing.
correct me if Im wrong but Bastion dose not seems to allow time limit , Im going with B
Also the requirement is to use RDP only, so Bastion can’t be an answer because with Bastion you do not connect with RDP protocol.
you can configure the rules to allow only RDP, but JIT is not possible
With Bastion Standard, you can connect with RDP on windows and SSH on linux, the basic Bastion is only SSL from the web browser.
To meet the given requirements, you should use Azure Bastion to configure just-in-time (JIT) access for the virtual machines in RG1. Azure Bastion provides secure and seamless RDP and SSH access to virtual machines over a web browser and eliminates the need for a public IP address. It simplifies the process of connecting to virtual machines by allowing users to connect directly to virtual machines through the Azure portal. To enable JIT access with Azure Bastion, you can create a JIT policy that defines the rules for access, including limiting access to specific protocols like RDP and setting the maximum request time to two hours. This can be done using the Azure portal or Azure CLI, and once the policy is created, Azure Bastion will automatically enforce the access rules when users try to connect to the virtual machines.
I agree. https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
The link you shared doesn't mention anything about Bastion !
A. Azure AD Privileged Identity Management (PIM) - Only allow you to specify the time limit, not network control B. Azure Policy - Control JIT and many other Azure Resources (Correct) C. Azure Bastion - Bastion has not time limit and support port 22 (SSH) as well, only protection of network through a Bastion host. D. Azure Front Door - Load balancer, has nothing to do with JIT for VM's https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm
A. Azure AD Privileged Identity Management (PIM) >> You cannot restrict to protocol. B. Azure Policy >> Looks like the answer. C. Azure Bastion >> You cannot limit the time using this. D. Azure Front Door >> Not for this purpose
I will go for B
From another exam site who says, "Bastion". To meet the given requirements, you should use Azure Bastion to configure just-in-time (JIT) access for the virtual machines in RG1.Azure Bastion provides secure and seamless RDP and SSH access to virtual machines over a web browser and eliminates the need for a public IP address. It simplifies the process of connecting to virtual machines by allowing users to connect directly to virtual machines through the Azure portal.To enable JIT access with Azure Bastion, you can create a JIT policy that defines the rules for access, including limiting access to specific protocols like RDP and setting the maximum request time to two hours. This can be done using the Azure portal or Azure CLI, and once the policy is created, Azure Bastion will automatically enforce the access rules when users try to connect to the virtual machines.
This is a stupid question. Bastion is the best fit for security purposes to allow RDP access to a machine without exposing it to the internet. There is no option for JIT in Bastion. In order to set this up, you need a policy. Now, does that mean Azure Policy? Navigate to Microsoft Defender for Cloud in the Azure portal. Go to the Just-in-time VM access section under Configuration & management. Select the virtual machines in RG1 you want to configure JIT for. Configure the JIT policy: Set the maximum request time to 2 hours. Specify RDP (port 3389) as the allowed protocol. Save the configuration.
Answer is B since one of the requirements is to use RDP only. With Bastion you don't connect using RDP and Microsoft specifically mentions not to use RDP as the requirement.
Azure Bastion is a fully managed PaaS service that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SS… Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it's provisioned.
Azure Bastion provides secure and seamless RDP and SSH access to Azure virtual machines directly through the Azure portal. It acts as a jump server or a bastion host, eliminating the need to expose public IP addresses or configure virtual private networks (VPNs) for remote access.
There are no references for Azure Bastion on the SC-200 MS Learn course
I have changed my mind to A. Azure AD Privileged Identity Management (PIM) With PIM you can set the "Activation maximum duration" and since you are looking to configure JIT, which can restrict the ports, then it will make more sense to me to go through this path. Why to configure an Azure Policy since the scenario specifies that you are looking to configure JIT? So PIM and JIT can provide what is requested. https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-change-default-settings "Use the Activation maximum duration slider to set the maximum time, in hours, that an activation request for a role assignment remains active before it expires. This value can be from one to 24 hours." https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage "JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed."
Defender JIT Policy
Know that Azure Bastion and JIT access cannot be used together. If you enable Azure Bastion with an existing JIT access policy enabled on a VM, the bastion host will not connect to the target machine and you will get a connection error!. https://dev.to/adbertram/how-to-enable-and-configure-azure-jit-for-vms-4a26
I'd go with Azure Policy since Bastion alone does not support all the requirements listed in question. Azure Bastion and Just in time (JIT) access are two different technologies
You can setup JIT network access policy for the Resource Group. https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies?view=rest-defenderforcloud-2020-01-01
Azure Policy
If i read this article correctly, then it can be accomplished by configuring the policy https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
Azure Policy make more sense