Set-JitLeastPrivilegedRole.ps1 add "Microsoft.Network/networkWatchers/" permissions

[rivir]

Users with the "Least Privileged JIT Requestor" role, created via the Set-JitLeastPrivilegedRole.ps1 script, receive a NetworkWatcherCountLimitReached, Authorization Failed, or generic "Permission Denied" error when attempting to request JIT access in the Azure Portal.
Azure Portal UI changes for JIT now shows a pre-flight validation against the regional Network Watcher to verify NSG rule application. Currently, the script does not include Microsoft.Network/networkWatchers/*, causing the JIT request blade to show an error even though JIT request successfully completes and the permissions are sufficient to create a request.

I would like the Set-JitLeastPrivilegedRole.ps1 script in the Microsoft-Defender-for-Cloud/Powershell scripts/JIT Scripts/ directory to be updated to include the following permission in the custom role definition:
Microsoft.Network/networkWatchers/
This will allow the Portal to successfully discover the existing regional Network Watcher and proceed with the JIT request without attempting to create a new one or showing an error due to lack of visibility.

Workarounds:
Manual Role Editing: Manually adding the permission to the role after script execution.
IAM edits: Adding the Role to the permissions of all regional Network Watchers

Additional context
Since the latest portal update, JIT initiation has moved from a simple "inline" button on the Connect blade to a more integrated validation workflow. Without access to the Network Watchers, the UI cannot confirm that the "Deny All" rules can be safely bypassed, leading to the [Authorization Failed], or [NetworkWatcherCountLimitReached] error as the portal tries to "find or fix" the watcher instance it cannot see.

I have tested these additional permissions out, to resolve this issue:
"Microsoft.Network/networkWatchers/read"
"Microsoft.Network/networkWatchers/write"
"Microsoft.Network/networkWatchers/networkConfigurationDiagnostic/read"