Azure Managed Applications Just In Time Activation Error

Rawson WadeAzure & Entra Software Engineer

Azure Managed Applications are a useful tool for both publisher and customers to share the responsibilities of an application in the customer's azure environment. They have some extensive features but some obvious security holes which can be mitigated through the use of "Just-In-Time Access".

What is JIT for Azure Managed Application

Azure Managed Application Just-In-Time (JIT) is a crucial security feature designed to grant publishers temporary elevated access to a managed application's resources. This access is confined within a predetermined time frame. While publishers maintain perpetual read-only access, JIT access provides them with enhanced privileges necessary for specific operations, such as troubleshooting and maintenance.

With JIT, customers can control when publishers have access to the resources of an Azure Managed Application. They have two options:

How to request access when JIT is enabled

Here's how the process works for both the publisher and customer to allow for access:

  1. The publisher navigates to the Azure Managed Application.
  2. They request contributor or owner permissions for the application.
  3. If approval is required (in the manual approval process), a customer admin reviews the request.
  4. Once approved, the publisher account gains contributor access for just enough time to perform maintenance tasks.

Customer's Licensing Requirements

Securing your Azure Managed Applications against supply chain risks is crucial. When accounts with access to your resources are beyond your control, the risk becomes significant. To mitigate this, it’s essential to thoroughly vet your providers and establish a high level of trust.

For instance, the Apporetum team employs a dedicated publishing tenant with robust security measures to prevent supply chain attacks. However, Microsoft offers JIT to allow you to control when publishers have access to your Azure Managed Application’s resources.

JIT access is not free for all organizations. A P2 license is required to enable JIT within your tenant. You can even accidentally enable JIT without the necessary license. Once enabled, there’s no turning back 1.

How to Fix a JIT Deployment Without Sufficient License

Let's say that your customer has enabled JIT without understanding that they need a P2 License to use it. The first symptom will be visible when you go and try to request access to their resources. You run the request and get a successful notification. All is good then?

Jit Request Failed Due to Insufficient Entra ID License

Nope, if you dig deeper into the request history you will see that your request got denied for apparently no reason at all...

Plain and simple. You won't be able to fix this unless you talk to Microsoft Support. Even then, I have had no success.

I know that's not what you want to hear if you are here but let me discuss some ways you can mitigate this problem. All the following solutions do not give your publishing accounts more access. If they did it would make JIT a pointless security control. However, they should give your customer the ability to move forward with the deployment.

Microsoft Product Team. If you read this. Can you make it so that customers can turn off JIT after the deployment 🙂.

Your Options

Here are the options which I have discovered by being put in a place where the customer does not want to redeploy.

1. Update JIT settings Via API

Let us start with the best option which might not always be possible. Get your customer to run some commands to disable their JIT access policy. You will notice that this can't be done via UI and has to be done via Azure Management APIs. First you will need to get your deployment's ID for the Managed Application. That is where you can actually request the JIT so I assume you know where it is. Under properties, you will find the ID property or fill in the blanks of the following command if you are not bothered.

az login
# Update JIT Access
az rest --verbose --method PATCH \
  --uri '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Solutions/applications/{applicationName}?api-version=2019-07-01'
  --body "{\"properties\": {\"jitAccessPolicy\": {\"jitAccessEnabled\": false }}}"
# OR with the Managed App Id
az rest --method PATCH --uri '{managedAppId}?api-version=2019-07-01' --verbose
  --body "{\"properties\": {\"jitAccessPolicy\": {\"jitAccessEnabled\": false }}}"

Jit Access should be disabled if the customer has enough permission (e.g. they were the user who published it).

You can see the progress of this command (as it async) by following this blog which describes how to retrive async progress in azure.

2. Step Up Customer License

Technically, all your customer needs is a single P2 license to enable JIT. Maybe that's all you need to deploy your application and get it up and running. In practice this is harder in an organisation than it sounds on paper. However, I believe it is worth mentioning.

3. Update Customer Permissions for an Azure Managed Application

Here is the backup option you should take if the customer is being difficult. This is quite involved but will allow you to give your customer all the permissions they need to access their resources. E.g. remove all the block permissions on their accounts. In essence what we will do is deploy a new version of the application from the Azure Marketplace with adjusted permissions. Then we will get them to run a command which with update their permissions on their deployment. Then as a clean up task we can republish the app with the permissions removed.

I wrote a blog on exactly this, refresh customer permissions which is a valid way to fix this issues if you are happy with giving your customer extra permissions.

Wrapping Up

You have seen why you and your customer should enable JIT, but you have also seen how it can go wrong. Hopefully this article helps you in your Managed Application Journey. As always if you need assistance in deploying your Managed Application you can reach out to us and we will set up a time to chat. Our team has experiance in configuring and deploying applications like Apporetum to the Azure Marketplace and have seen it flourish on the Azure Marketplace.


  1. P2 License Requirement

Rawson WadeAzure & Entra Software Engineer

© Posts are provided 'as is' under the AGPL 3.0 license unless otherwise stated

Want to be kept in the loop

Sign up to hear about the latest from the team at Entraneer. We talk anything Entra, IAM and Azure Enterprise Apps.

Azure Azure Marketplace Partner Center Managed Application How Managed Applications Work Azure managed Application Customer View of Managed Applications Publisher View of Managed Applications azure managed services azure portal azure cloud managed services azure license just-in-time-access jit jit failed

Expansive Knowledge, Best in class Security, best Value in the Cyber Security and Microsoft Entra Partner Class, Highly Skilled. Preference number one. Microsoft Entra Excellence. We are your consultants for entra engineering and development. Microsoft entra engineering. Identity and Access Management Experts in Microsoft Azure, Microsoft Entra, Microsoft Entra ID and Microsoft Entra External ID. experts for microsoft entra Our team offers expansive knowledge and best-in-class security, ensuring the best value in the cyber security industry. As a top Microsoft Entra Partner, we provide highly skilled services, making us your number one preference. We excel in Microsoft Entra excellence and serve as your dedicated consultants for Entra engineering and development. Our expertise in Microsoft Entra engineering encompasses all aspects of identity and access management. We are identity and access management experts in Microsoft Azure, Microsoft Entra, Microsoft Entra ID, and Microsoft Entra External ID. Trust us as your experts for Microsoft Entra. Need help with azuread / Microsoft Entra. Talk to the trusted experts from Australia

We use cookies

We use cookies to ensure you get the best experience on our website. By clicking Accept, you agree to our use of cookies.
Learn more.