Zero Trust Access to Azure VM through double Just in Time Access, at identity authorization level and network access level.
Steps to create the initial environment
Create Resource Group
Create VNet with two subnets (see *note below)
- VMsSubnet -
- AzureBastionSubnet -
Create VM (see *note below)
- Use Image: [smalldisk] Windows Server 2022 Datacenter - Gen2
- Use Subnet: VMsSubnet
Create NSG (see *note below)
- NSG name is: VMsSubnetNSG
- Assign it to VMsSubnet
- Use this website to identify your IP if you need to lock RDP port only to your IP address.
Create Bastion; use this template to deploy Azure Bastion.
Create sample users in Azure AD (using template provided in Assets)
Create sample group (HR Helpdesk) in Azure, and add Kim Smith as a member.
Setup MFA for Kim Smith account (
Note: Templates referenced in Step 1, 2, 3, are as is in exported state. They are meant to clarify any details during the deployment. They still need some cleaning to be in deployable state.
Check the "Assets" directory
- Custom Role Definition (Virtual-Machine-JIT-User-Access.json)
- Template for creating sample users in Azure AD (UserCreateTemplate.csv)
- Azure ARM Exported Templates for creating VNet, VM and NSG (Exported Templates)