Exam AZ-801 topic 1 question 28 discussion

"JIT requires an NSG to be configured or a Firewall configuration (or both)" From here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage There's no mention of Azure Firewall in the question, so an NSG would be required.

From what I've gathered, you would need the owner rule IF Microsoft Defender for Servers was not already enabled because you would need that to configure "Microsoft Defender for Cloud, Enhanced Security Management" which is presently just called "Microsoft Defender for Cloud". So if you don't need the owner role nor the "Enable enhanced...", that just leaves us with A. and D. which is definetely out of the question.

A. Create a network security group (NSG).

answer is A

The answer is A. Owner: Has full access to all resources, including the right to delegate access to others. Contributor: You can create and manage all types of Azure resources, but you cannot grant access to others. You don't need to be an owner in this case.

I think its A, NSG

contributor rights alone do not allow you to enable Just-In-Time (JIT) access in an Azure subscription. JIT access involves managing access to specific resources for a limited time window. To enable JIT, you need additional permissions related to security management and resource access control.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage Just-in-time VM access shows your VMs grouped into: Configured - VMs configured to support just-in-time VM access, and shows: - the number of approved JIT requests in the last seven days - the last access date and time - the connection details configured the last user Not configured - VMs without JIT enabled, but that can support JIT. We recommend that you enable JIT for these VMs. Unsupported - VMs that don't support JIT because: - Missing network security group (NSG) or Azure Firewall - JIT requires an NSG to be configured or a Firewall configuration (or both) - Classic VM - JIT supports VMs that are deployed through Azure Resource Manager. - Other - The JIT solution is disabled in the security policy of the subscription or the resource group.

According to Copilot, The Contributor-role on the Subscription level should suffice to perform all the steps required to configure JIT. You do need to configure NSG rules though, so my answer would be A.

Owner role is required to enable JIT

isn't it B?

Correct, below are the prerequisites: You’ll need: 1.) An Azure Subscription 2.) Logged into the Azure Portal with an Azure account with the Subscription Owner role. 3.) A Standard Azure Defender plan. You can sign up while logged into the Azure Portal via Azure Security Center. 4.) Azure Cloud Shell or PowerShell. Be sure you log in once to create the storage account it needs at least once. 5.) The Azure Defender service enabled. Part of Azure Security Center, you’ll need to first enable it on your subscription. Azure Security Permissions - https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions