{
	"id": "06ee962e-a058-4cac-a005-f99400d2e83c",
	"created_at": "2026-04-06T00:09:06.418828Z",
	"updated_at": "2026-04-10T03:21:57.218279Z",
	"deleted_at": null,
	"sha1_hash": "24a0b18a492dc6c20316ad750a6448769d85d288",
	"title": "Approve just-in-time access - Azure Managed Applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 214184,
	"plain_text": "Approve just-in-time access - Azure Managed Applications\r\nBy MSEvanhi\r\nArchived: 2026-04-05 21:21:53 UTC\r\nAs a consumer of a managed application, you might not be comfortable giving the publisher permanent access to\r\nthe managed resource group. To give you greater control over granting access to managed resources, Azure\r\nManaged Applications provides a feature called just-in-time (JIT) access. It enables you to approve when and for\r\nhow long the publisher has access to the resource group. The publisher can make required updates during that\r\ntime, but when that time is over, the publisher's access expires.\r\nThe work flow for granting access is:\r\n1. The publisher adds a managed application to the marketplace and specifies that JIT access is available.\r\n2. During deployment, you enable JIT access for your instance of the managed application.\r\n3. After deployment, you can change the settings for JIT access.\r\n4. The publisher sends a request for access.\r\n5. You approve the request.\r\nThis article focuses on the actions consumers take to enable JIT access and approve requests. To learn about\r\npublishing a managed application with JIT access, see Request just-in-time access in Azure Managed\r\nApplications.\r\n1. Sign in to the Azure portal.\r\n2. Find a marketplace entry for a managed application with JIT enabled. Select Create.\r\n3. While providing values for the new managed application, the JIT Configuration step allows you to enable\r\nor disable JIT access for the managed application. Select Yes for Enable JIT Access. This option is\r\nselected by default for managed applications that defined with JIT enabled in the marketplace.\r\nhttps://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nPage 1 of 5\n\nYou can only enable JIT access during deployment. If you select No, the publisher gets permanent access\r\nto the managed resource group. You can't enable JIT access later.\r\n4. To change the default approval settings, select Customize JIT Configuration.\r\nBy default, a managed application with JIT enabled has the following settings:\r\nApproval mode - automatic\r\nMaximum access duration - 8 hours\r\nhttps://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nPage 2 of 5\n\nApprovers - none\r\nWhen the approval mode is set to automatic, the approvers receive a notification for each request but the\r\nrequest is automatically approved. When set to manual, the approvers receive a notification for each\r\nrequest, and one of them must approve it.\r\nThe activation maximum duration specifies the maximum amount of time a publisher can request for\r\naccess to the managed resource group.\r\nThe approvers list is the Microsoft Entra users that can approve of JIT access requests. To add an approver,\r\nselect Add Approver and search for the user.\r\nAfter updating the setting, select Save.\r\nYou can change the values for how requests are approved. However, if you didn't enable JIT access during\r\ndeployment, you can't enable it later.\r\nTo change the settings for a deployed managed application:\r\n1. In the portal, select the manage application.\r\n2. Select JIT Configuration and change the settings as needed.\r\n3. When done, select Save.\r\nWhen the publisher requests access, you're notified of the request. You can approve JIT access requests either\r\ndirectly through the managed application, or across all managed applications through the Microsoft Entra\r\nPrivileged Identity Management service. To use just-in-time access, you must have a Microsoft Entra ID P2\r\nlicense.\r\nhttps://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nPage 3 of 5\n\nTo approve requests through the managed application:\r\n1. Select JIT Access for the managed application, and select Approve Requests.\r\n2. Select the request to approve.\r\n3. In the form, provide the reason for the approval and select Approve.\r\nTo approve requests through Microsoft Entra Privileged Identity Management:\r\n1. Select All services and begin searching for Microsoft Entra Privileged Identity Management. Select it\r\nfrom the available options.\r\n2. Select Approve requests.\r\nhttps://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nPage 4 of 5\n\n3. Select Azure managed applications, and select the request to approve.\r\nTo learn about publishing a managed application with JIT access, see Request just-in-time access in Azure\r\nManaged Applications.\r\nSource: https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nhttps://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access"
	],
	"report_names": [
		"approve-just-in-time-access"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24a0b18a492dc6c20316ad750a6448769d85d288.pdf",
		"text": "https://archive.orkl.eu/24a0b18a492dc6c20316ad750a6448769d85d288.txt",
		"img": "https://archive.orkl.eu/24a0b18a492dc6c20316ad750a6448769d85d288.jpg"
	}
}