I am trying to setup Just in Time Access in Azure, so I have an account with subscription where I've enabled Security Center Standard edition (required for JIT). I've created there a Resource Group and a VM.
Now I took another account (let's call it [email protected]) and I've given it Reader privileges on the mentioned Resource Group and Contributor on VM and its Network Security Group.
After logging to the portal, [email protected] doesn't have access to JIT, because Subscriptions it owns don't have Security Center Standard enabled - these are separate subscriptions than the one mentioned earlier (so it's not possible to request JIT through the portal).
When I use PowerShell, I am able to select subscription where VM is deployed (Select-AzureRmSubscription), I am able to see that there is a JIT policy used there (Get-ASCJITAccessPolicy), but when I run Invoke-ASCJITAccess I get an error:
Invoke-ASCJITAccess : JIT VM Access requires a Standard tier subscription. For more info please visit aka.ms/asc-jit
Am I missing something or Just In Time Access works only on subscriptions you own?
