Skip to content

Set-JitLeastPrivilegedRole.ps1 add "Microsoft.Network/networkWatchers/" permissions #1020

@rivir

Description

@rivir

Users with the "Least Privileged JIT Requestor" role, created via the Set-JitLeastPrivilegedRole.ps1 script, receive a NetworkWatcherCountLimitReached, Authorization Failed, or generic "Permission Denied" error when attempting to request JIT access in the Azure Portal.
Azure Portal UI changes for JIT now shows a pre-flight validation against the regional Network Watcher to verify NSG rule application. Currently, the script does not include Microsoft.Network/networkWatchers/*, causing the JIT request blade to show an error even though JIT request successfully completes and the permissions are sufficient to create a request.

I would like the Set-JitLeastPrivilegedRole.ps1 script in the Microsoft-Defender-for-Cloud/Powershell scripts/JIT Scripts/ directory to be updated to include the following permission in the custom role definition:
Microsoft.Network/networkWatchers/
This will allow the Portal to successfully discover the existing regional Network Watcher and proceed with the JIT request without attempting to create a new one or showing an error due to lack of visibility.

Workarounds:
Manual Role Editing: Manually adding the permission to the role after script execution.
IAM edits: Adding the Role to the permissions of all regional Network Watchers

Additional context
Since the latest portal update, JIT initiation has moved from a simple "inline" button on the Connect blade to a more integrated validation workflow. Without access to the Network Watchers, the UI cannot confirm that the "Deny All" rules can be safely bypassed, leading to the [Authorization Failed], or [NetworkWatcherCountLimitReached] error as the portal tries to "find or fix" the watcher instance it cannot see.

I have tested these additional permissions out, to resolve this issue:
"Microsoft.Network/networkWatchers/read"
"Microsoft.Network/networkWatchers/write"
"Microsoft.Network/networkWatchers/networkConfigurationDiagnostic/read"

Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions