nerdexam
ExamsAZ-500Questions#204
MicrosoftMicrosoft

AZ-500 · Question #204

AZ-500 Question #204: Real Exam Question with Answer & Explanation

The correct answer is A: Create and configure a network security group (NSG).. Explanation Option A is correct because Just-in-Time (JIT) VM access in Microsoft Defender for Cloud (Security Center) requires a Network Security Group (NSG) to be associated with the VM's network interface or subnet - without an NSG, JIT cannot control inbound port access dynam

Submitted by ahmad_uae· Mar 6, 2026Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel

Question

You have an Azure subscription that contains a user named Admin1 and a virtual machine named VM1. VM1 runs Windows Server 2019 and was deployed by using an Azure Resource Manager template. VM1 is the member of a backend pool of a public Azure Basic Load Balancer. Admin1 reports that VM1 is listed as Unsupported on the Just in time VM access blade of Azure Security Center. You need to ensure that Admin1 can enable just in time (JIT) VM access for VM1. What should you do?

Options

  • ACreate and configure a network security group (NSG).
  • BCreate and configure an additional public IP address for VM1.
  • CReplace the Basic Load Balancer with an Azure Standard Load Balancer.
  • DAssign an Azure Active Directory Premium Plan 1 license to Admin1.

Explanation

Explanation

Option A is correct because Just-in-Time (JIT) VM access in Microsoft Defender for Cloud (Security Center) requires a Network Security Group (NSG) to be associated with the VM's network interface or subnet - without an NSG, JIT cannot control inbound port access dynamically, which is why VM1 appears as "Unsupported." Creating and configuring an NSG gives JIT the mechanism it needs to open and close ports on demand.

Why the distractors are wrong:

  • Option B (additional public IP) is irrelevant - JIT functionality is not dependent on having multiple public IP addresses assigned to the VM.
  • Option C (Standard Load Balancer) addresses a different limitation; while Basic Load Balancers have restrictions, the specific "Unsupported" status for JIT is caused by the missing NSG, not the load balancer tier.
  • Option D (Azure AD Premium P1 license) is unrelated - JIT VM access is a feature of Microsoft Defender for Cloud (requiring Defender for Servers), not an Azure Active Directory license.

🧠 Memory Tip: Think of JIT as a bouncer at a door - the NSG is the door itself. Without a door (NSG), the bouncer (JIT) has nothing to open or close, making the feature unsupported. No NSG = No JIT!

Topics

#Just-in-Time VM Access#Azure Security Center#Network Security Group#VM Security

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions