As per my last post I’ve demonstrated how to request access to JIT-enabled VM from Azure Portal. But there is a question remain, what if I got a bunches of VMs on Azure and be accessed daily by local users is that I need to request access everyday? Well, the answer is nope. Of course you don’t have to do this day by day as long as those users where accessed from same location with same public IP address. (e.g. access from the office) For rest of other user who using VM at home or café, just request for them case by case as they are accessed from public untrusted IP address, and potentially the IP address may assigned dynamically.
For check my last post regarding JIT feature on Azure, click below link.
How to using Just-In-Time (JIT) feature on Azure
How to find my office public IP address
Before we proceed further, you need to check and verify your office public IP address as in our case we’re enable users who access VDI (Virtual Desktop Infrastructure) from the office without request JIT access every time.
If you’re know the office public IP address you’ve past this and move forward to next paragraph. For folks who don’t it, a simple way is to fire up search engine to search keyword “find my ip address”. In some search engine it will displayed directly on top of results, or access third-party website like https://whatismyipaddress.com.
How to allow VDI accessed from office without request JIT every time
To implement this, follow below steps to create an inbound port rule under Networking section.
1.Login to Azure Port via https://portal.azure.com
2.Select “Virtual machines” from left panel.
3.Select one of VMs > find “Networking” section.
4.Click “Add inbound port rule” > Select “My IP address” it will displayed and updated to “Source IP address / CIDR ranges” option > Enter 3389 under “Destination port ranges”.
5.Select TCP under “Protocol” > Set a lower number in my case 1033 under “Priority” > Name your inbound rule > Adding a description if need > click Add.
6.Waiting for 2-3 mins after you’ve clicked Add button.
7.Once you saw the notification “Created security rule” pop up on upper-right corner, you may proceed to test it by access one of those VMs public IP address.
8.If successful, when trying to access the VDI with mstsc.exe it should prompt you for credential.
Notice
If you’re unable connect to your VDI after created a security rule, go check out the priority number. Trying to adjust the priority number to a lower one. (Lower number means higher priority, and vice versa).
Reference
Just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Learn
Understanding just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Learn
