The Azure “Just in Time” ( JIT ) feature for controlling access to servers is very useful but be careful with it.
There are three options, of which the 3rd is the default.

  • My IP
  • Other IPs
  • All configured IPs ( actually all IPs if nothing is configured )

The best choice is usually “My IP” but the default is “All Configured IPs”.
If you do not have any “configured IPs” then JIT opens the RDP port to ALL IP addresses, which is not ideal.

Even if you may have an internal policy to choose the “My IP” option it is very likely that users will often use the default option which is effectively “All IP Addresses”. The best way to mitigate against this is to set at least one fixed IP address in the configuration.

Azure Portal > MS Defender for Cloud > Workload Protections > Just in Time > 3 dots edit > Click rule > Port Configuration
You need to do this for each sever for each port.