Merge pull request #267531 from dcurwin/fix-formatting-feb28-2024

prmerger-automator[bot] · web-flow · commit 63048b83df1b · 2024-02-28T08:41:17.000Z
Fix formatting
diff --git a/articles/defender-for-cloud/integration-defender-for-endpoint.md b/articles/defender-for-cloud/integration-defender-for-endpoint.md
@@ -64,6 +64,6 @@ A Defender for Endpoint tenant is automatically created, when you use Defender f
 
 - **Moving subscriptions:** If you've moved your Azure subscription between Azure tenants, some manual preparatory steps are required before Defender for Cloud will deploy Defender for Endpoint. For full details, [contact Microsoft support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).
 
-## Next Steps
+## Next step
 
-[Enable the Microsoft Defender for Endpoint integration](enable-defender-for-endpoint.md).
+[Enable the Microsoft Defender for Endpoint integration](enable-defender-for-endpoint.md)
diff --git a/articles/defender-for-cloud/just-in-time-access-overview.md b/articles/defender-for-cloud/just-in-time-access-overview.md
@@ -15,7 +15,7 @@ To learn how to apply JIT to your VMs using the Azure portal (either Defender fo
 
 Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.
 
-## Why JIT VM access is the solution 
+## Why JIT VM access is the solution
 
 As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case that means having fewer open ports especially management ports.
 
@@ -25,7 +25,7 @@ To solve this dilemma, Microsoft Defender for Cloud offers JIT. With JIT, you ca
 
 ## How JIT operates with network resources in Azure and AWS
 
-In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack. 
+In Azure, you can block inbound traffic on specific ports, by enabling just-in-time VM access. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the [network security group](../virtual-network/network-security-groups-overview.md#security-rules) (NSG) and [Azure Firewall rules](../firewall/rule-processing.md). These rules restrict access to your Azure VMs’ management ports and defend them from attack.
 
 If other rules already exist for the selected ports, then those existing rules take priority over the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the new rules take top priority in the NSG and Azure Firewall.
 
@@ -38,21 +38,23 @@ When a user requests access to a VM, Defender for Cloud checks that the user has
 
 ## How Defender for Cloud identifies which VMs should have JIT applied
 
-The following diagram shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs: 
+The following diagram shows the logic that Defender for Cloud applies when deciding how to categorize your supported VMs:
 
 ### [**Azure**](#tab/defender-for-container-arch-aks)
+
 [![Just-in-time (JIT) virtual machine (VM) logic flow.](media/just-in-time-explained/jit-logic-flow.png)](media/just-in-time-explained/jit-logic-flow.png#lightbox)
 
 ### [**AWS**](#tab/defender-for-container-arch-eks)
+
 :::image type="content" source="media/just-in-time-explained/aws-jit-logic-flow.png" alt-text="A chart that explains the logic flow for the AWS Just in time (J I T) virtual machine (V M) logic flow.":::
 
 ---
 
-When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's **Unhealthy resources** tab. 
+When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's **Unhealthy resources** tab.
 
 ![Just-in-time (JIT) virtual machine (VM) access recommendation.](./media/just-in-time-explained/unhealthy-resources.png)
 
-## Next steps
+## Next step
 
 This page explained why just-in-time (JIT) virtual machine (VM) access should be used. To learn how to enable JIT and request access to your JIT-enabled VMs:
 
diff --git a/articles/defender-for-cloud/just-in-time-access-usage.md b/articles/defender-for-cloud/just-in-time-access-usage.md
@@ -30,15 +30,15 @@ In this article, you learn how to include JIT in your security program, includin
 
 ## Prerequisites
 
-- JIT requires [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features) to be enabled on the subscription. 
+- JIT requires [Microsoft Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md#plan-features) to be enabled on the subscription.
 
 - **Reader** and **SecurityReader** roles can both view the JIT status and parameters.
 
 - If you want to create custom roles that  work with JIT, you need the details from the following table:
 
     | To enable a user to: | Permissions to set|
     | --- | --- |
-    |Configure or edit a JIT policy for a VM | *Assign these actions to the role:*  <ul><li>On the scope of a subscription or resource group that is associated with the VM:<br/> `Microsoft.Security/locations/jitNetworkAccessPolicies/write` </li><li> On the scope of a subscription or resource group of VM: <br/>`Microsoft.Compute/virtualMachines/write`</li></ul> | 
+    |Configure or edit a JIT policy for a VM | *Assign these actions to the role:*  <ul><li>On the scope of a subscription or resource group that is associated with the VM:<br/> `Microsoft.Security/locations/jitNetworkAccessPolicies/write` </li><li> On the scope of a subscription or resource group of VM: <br/>`Microsoft.Compute/virtualMachines/write`</li></ul> |
     |Request JIT access to a VM | *Assign these actions to the user:*  <ul><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action` </li><li> `Microsoft.Security/locations/jitNetworkAccessPolicies/*/read` </li><li> `Microsoft.Compute/virtualMachines/read` </li><li> `Microsoft.Network/networkInterfaces/*/read` </li> <li> `Microsoft.Network/publicIPAddresses/read` </li></ul> |
     |Read JIT policies| *Assign these actions to the user:*  <ul><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/read`</li><li>`Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action`</li><li>`Microsoft.Security/policies/read`</li><li>`Microsoft.Security/pricings/read`</li><li>`Microsoft.Compute/virtualMachines/read`</li><li>`Microsoft.Network/*/read`</li>|
 
@@ -48,11 +48,10 @@ In this article, you learn how to include JIT in your security program, includin
 - To set up JIT on your Amazon Web Service (AWS) VM, you need to [connect your AWS account](quickstart-onboard-aws.md) to Microsoft Defender for Cloud.
 
     > [!TIP]
-    > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages. 
-
+    > To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the [Set-JitLeastPrivilegedRole script](https://github.com/Azure/Azure-Security-Center/tree/main/Powershell%20scripts/JIT%20Scripts/JIT%20Custom%20Role) from the Defender for Cloud GitHub community pages.
 
 > [!NOTE]
-> In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters. 
+> In order to successfully create a custom JIT policy, the policy name, together with the targeted VM name, must not exceed a total of 56 characters.
 
 ## Work with JIT VM access using Microsoft Defender for Cloud
 
@@ -79,12 +78,12 @@ From Defender for Cloud, you can enable and configure the JIT VM access.
 
 1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
 
-1. In the **Not configured** virtual machines tab, mark the VMs to protect with JIT and select **Enable JIT on VMs**. 
+1. In the **Not configured** virtual machines tab, mark the VMs to protect with JIT and select **Enable JIT on VMs**.
 
     The JIT VM access page opens listing the ports that Defender for Cloud recommends protecting:
     - 22 - SSH
     - 3389 - RDP
-    - 5985 - WinRM 
+    - 5985 - WinRM
     - 5986 - WinRM
 
     To customize the JIT access:
@@ -106,13 +105,13 @@ To edit the existing JIT rules for a VM:
 
 1. Open the **Workload protections** and, in the advanced protections, select **Just-in-time VM access**.
 
-1. In the **Configured** virtual machines tab, right-click on a VM and select **Edit**. 
+1. In the **Configured** virtual machines tab, right-click on a VM and select **Edit**.
 
 1. In the **JIT VM access configuration**, you can either edit the list of port or select **Add** a new custom port.
 
 1. When you finish editing the ports, select **Save**.
 
-### Request access to a JIT-enabled VM from Microsoft Defender for Cloud 
+### Request access to a JIT-enabled VM from Microsoft Defender for Cloud
 
 When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.
 
@@ -144,13 +143,13 @@ You can enable JIT on a VM from the Azure virtual machines pages of the Azure po
 > [!TIP]
 > If a VM already has JIT enabled, the VM configuration page shows that JIT is enabled. You can use the link to open the JIT VM access page in Defender for Cloud to view and change the settings.
 
-1. From the [Azure portal](https://portal.azure.com), search for and select **Virtual machines**. 
+1. From the [Azure portal](https://portal.azure.com), search for and select **Virtual machines**.
 
 1. Select the virtual machine you want to protect with JIT.
 
 1. In the menu, select **Configuration**.
 
-1. Under **Just-in-time access**, select **Enable just-in-time**. 
+1. Under **Just-in-time access**, select **Enable just-in-time**.
 
     By default, just-in-time access for the VM uses these settings:
 
@@ -167,7 +166,7 @@ You can enable JIT on a VM from the Azure virtual machines pages of the Azure po
 
     1. From Defender for Cloud's menu, select **Just-in-time VM access**.
 
-    1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select **Edit**. 
+    1. From the **Configured** tab, right-click on the VM to which you want to add a port, and select **Edit**.
 
         ![Editing a JIT VM access configuration in Microsoft Defender for Cloud.](./media/just-in-time-access-usage/jit-policy-edit-security-center.png)
 
@@ -229,13 +228,13 @@ The following PowerShell commands create this JIT configuration:
     ```
 
 1. Insert the VM just-in-time VM access rules into an array:
-    
+
     ```azurepowershell
     $JitPolicyArr=@($JitPolicy)
     ```
 
 1. Configure the just-in-time VM access rules on the selected VM:
-    
+
     ```azurepowershell
     Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "LOCATION" -Name "default" -ResourceGroupName "RESOURCEGROUP" -VirtualMachine $JitPolicyArr
     ```
@@ -264,7 +263,7 @@ Run the following commands in PowerShell:
     ```azurepowershell
     $JitPolicyArr=@($JitPolicyVm1)
     ```
-        
+
 1. Send the request access (use the resource ID from step 1)
 
     ```azurepowershell
@@ -277,13 +276,13 @@ Learn more in the [PowerShell cmdlet documentation](/powershell/scripting/develo
 
 #### Enable JIT on your VMs using the REST API
 
-The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more. 
+The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.
 
 Learn more at [JIT network access policies](/rest/api/defenderforcloud/jit-network-access-policies).
 
 #### Request access to a JIT-enabled VM using the REST API
 
-The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more. 
+The just-in-time VM access feature can be used via the Microsoft Defender for Cloud API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.
 
 Learn more at [JIT network access policies](/rest/api/defenderforcloud/jit-network-access-policies).
 
@@ -294,7 +293,7 @@ You can gain insights into VM activities using log search. To view the logs:
 1. From **Just-in-time VM access**, select the **Configured** tab.
 
 1. For the VM that you want to audit, open the ellipsis menu at the end of the row.
- 
+
 1. Select **Activity Log** from the menu.
 
    ![Select just-in-time JIT activity log.](./media/just-in-time-access-usage/jit-select-activity-log.png)
