Enable and request just-in-time access for Azure Managed Applications
Consumers of your managed application might be reluctant to grant you permanent access to the managed resource group. As a publisher of a managed application, you might prefer that consumers know exactly when you need to access the managed resources. To give consumers greater control over granting access to managed resources, Azure Managed Applications provides a feature called just-in-time (JIT) access.
JIT access enables you to request elevated access to a managed application's resources for troubleshooting or maintenance. You always have read-only access to the resources, but for a specific time period you can have greater access.
The work flow for granting access is:
You add a managed application to the marketplace and specify that JIT access is available.
During deployment, the consumer enables JIT access for that instance of the managed application.
After deployment, the consumer can change the settings for JIT access.
You send a request for access when you need to troubleshoot or update the managed resources.
The consumer approves your request.
This article focuses on the actions publishers take to enable JIT access and submit requests. To learn about approving JIT access requests, see Approve just-in-time access in Azure Managed Applications.
Add JIT access step to UI
In your CreateUiDefinition.json file, include a step that lets consumers enable JIT access. To support JIT capability for your offer, add the following content to your CreateUiDefinition.json file.
In "steps":
{
"name": "jitConfiguration",
"label": "JIT Configuration",
"subLabel": {
"preValidation": "Configure JIT settings for your application",
"postValidation": "Done"
},
"bladeTitle": "JIT Configuration",
"elements": [
{
"name": "jitConfigurationControl",
"type": "Microsoft.Solutions.JitConfigurator",
"label": "JIT Configuration"
}
]
}
In "outputs":
"jitAccessPolicy": "[steps('jitConfiguration').jitConfigurationControl]"
Enable JIT access
When creating your offer in Partner Center, make sure you enable JIT access.
Sign in to the Commercial Marketplace portal in Partner Center.
For guidance creating a new managed application, follow the steps in Create an Azure application offer.
On the Technical configuration page, select the Enable just-in-time (JIT) access checkbox.
You added a JIT configuration step to your UI, and enabled JIT access in the commercial marketplace offering. When consumers deploy your managed application, they can turn on JIT access for their instance.
Request access
When you need to access the consumer's managed resources, you send a request for a specific role, time, and duration. The consumer must then approve the request.
To send a JIT access request:
Select JIT Access for the managed application you need to access.
Select Eligible Roles, and select Activate in the ACTION column for the role you want.
On the Activate Role form, select a start time and duration for your role to be active. Select Activate to send the request.
View the notifications to see that the new JIT request is successfully sent to the consumer.
Now, you must wait for the consumer to approve your request.
To view the status of all JIT requests for a managed application, select JIT Access and Request History.
Known issues
The principal ID of the account requesting JIT access must be explicitly included in the managed application definition. The account can't only be included through a group that is specified in the package. This limitation will be fixed in a future release.
Next steps
To learn about approving requests for JIT access, see Approve just-in-time access in Azure Managed Applications.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for