When logging in to the Azure portal, Azure REST APIs, Azure PowerShell, or Azure CLI, the user is verified against Azure AD. A conditional access policy for Azure AD is implemented if authentication is successful. This policy checks to see if the user satisfies specified requirements. Examples include signing in from a recognizable place or using a managed device. Conditional Access gives the user access to Azure via the Azure portal or another interface if they meet the requirements.
Identity-based just-in-time access:
Azure AD PIM gives the user a custom role of type eligible during authorization. The eligibility is constrained to the necessary resources, and the position is temporary rather than ongoing. The user makes a request for this role's activation through the Azure PIM interface within a predetermined time limit. The user may be prompted for multifactor authentication to confirm identity or an approval workflow may begin in response to that request. A second person must approve the request in a workflow approval process. The user cannot move on to the next step if the custom role is not allocated to them.
Network based just-in-time access:
The user's identity is momentarily tied to the custom role upon authentication and permission. The user then asks for access to JIT VM. The Azure Bastion subnet opens a connection on port 3389 for RDP or port 22 for SSH when you have access to that. The VM network interface card (NIC) or the VM NIC subnet is directly connected. By leveraging that connection, Azure Bastion starts an internal RDP session. The session is secured from public internet access and is only accessible within the Azure virtual network.
Connecting to the Azure VM:
With the use of a temporary token, the user can access Azure Bastion. The user creates an indirect RDP connection to the Azure VM using this service. There is a time limit on how long the connection will last.