JIT stopped working

Gregor Jus 0 Reputation points

Hi,

All of a sudden my JIT stopped working. After requesting JIT + check VM access I get the error about NetworkWatcherCountLimitReached. This started all of a sudden, without any changes... Below is full API error

{ "stack": "BatchResponseItemError: Cannot create more than 1 network watchers for this subscription in this region.\n at m (https://portal.azure.com/Content/Dynamic/aNGXccyIdUk7.js:49:4809)\n at https://portal.azure.com/Content/Dynamic/aNGXccyIdUk7.js:49:6297\n at Array.forEach (<anonymous>)\n at https://portal.azure.com/Content/Dynamic/aNGXccyIdUk7.js:49:3036", "message": "Cannot create more than 1 network watchers for this subscription in this region.", "type": "FxAjaxBatchResponseItemError", "baseTypes": [ "FxAjaxBatchResponseItemError", "MsPortalFx.Errors.Error" ], "extension": "Microsoft_Azure_Compute", "errorLevel": 2, "timestamp": 57991.79999999702, "name": "BatchResponseItemError", "innerErrors": [], "content": { "error": { "code": "NetworkWatcherCountLimitReached", "message": "Cannot create more than 1 network watchers for this subscription in this region.", "details": [] } }, "headers": { "Pragma": "no-cache", "x-ms-request-id": "266acdad-90cf-4e21-a6fa-44560ae59dd0", "x-ms-correlation-request-id": "8f08b885-a491-4837-93b1-a8a1e0f82dee", "x-ms-arm-service-request-id": "2c15a11d-d5fc-43c6-80fc-18755ed56790", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "x-ms-operation-identifier": "tenantId=0bf70ab8-044f-4d36-9ad5-a79cba69609d,objectId=1c2c7113-475b-431e-9cc0-9d3d0c6a6058/westeurope/5433e465-b36c-48fb-8144-d9b2c74e89c6", "x-ms-ratelimit-remaining-subscription-writes": "199", "x-ms-ratelimit-remaining-subscription-global-writes": "2999", "x-ms-routing-request-id": "WESTEUROPE:20260527T111109Z:2057b569-dd44-4055-a40e-151ab0ab49e7", "X-Content-Type-Options": "nosniff", "X-Cache": "CONFIG_NOCACHE", "X-MSEdge-Ref": "Ref A: C0357AEAD4594E02B877BBDFCBFD9F70 Ref B: DUB601080511025 Ref C: 2026-05-27T11:11:09Z", "Cache-Control": "no-cache", "Date": "Wed, 27 May 2026 11:11:09 GMT" }, "httpStatusCode": 400 }

  1. Jerald Felix 13,500 Reputation points Volunteer Moderator

    Hello Gregor Jus

    Greetings! Thanks for raising this question in Q&A forum.

    I can see exactly what's happening here. The NetworkWatcherCountLimitReached error means your subscription already has a Network Watcher instance in the West Europe region, and when JIT tried to create or reinitialise one as part of its VM access check, Azure blocked it because only one Network Watcher is allowed per region per subscription. The Network Watcher parent resource is deployed with a unique instance in every region, and Network Watcher only needs to be enabled once per region per subscription for its features to work. What's likely happened is that a duplicate or orphaned Network Watcher ended up in your subscription possibly from a resource move, another team's deployment, or an automated process and now JIT is tripping over it.

    Here's how to fix this step by step:

    Step 1: Find all Network Watcher instances in your subscription Run this in Azure CLI to list all Network Watchers in your subscription:

    az network watcher list --output table

    Look specifically for the West Europe region — you may see two entries, or one in an unexpected resource group (not NetworkWatcherRG).

    Step 2: Check the NetworkWatcherRG resource group in the portal

    1. Go to the Azure Portal and search for "Resource Groups"
    2. Open the NetworkWatcherRG resource group (it's automatically created by Azure)
    3. Look for a resource named NetworkWatcher_westeurope
    4. If you see more than one, or if you see one in a different resource group as well, that's the conflict

    Step 3: Delete the duplicate or extra Network Watcher Once you identify the duplicate, delete the extra one. Keep the one in NetworkWatcherRG as that's the standard Azure-managed one. To delete via CLI:

    az network watcher delete --location westeurope --resource-group <resource-group-with-duplicate>

    Or simply delete it from the portal by clicking on the extra Network Watcher resource and clicking Delete.

    Step 4: Verify only one Network Watcher remains in West Europe After deletion, rerun:

    az network watcher list --output table

    Confirm only one NetworkWatcher_westeurope exists and it's in NetworkWatcherRG.

    Step 5: Re-test JIT access Go back to Microsoft Defender for Cloud > Workload Protections > Just-in-time VM access, find your VM, and try requesting access again. The NetworkWatcherCountLimitReached error should now be gone.

    Step 6: If you cannot find a duplicate but the error persists It's possible the Network Watcher is stuck in a bad provisioning state. In that case, try deleting the existing NetworkWatcher_westeurope from NetworkWatcherRG entirely and letting Azure recreate it automatically. Azure automatically recreates the Network Watcher resource group and its contents when needed deleting it won't permanently disable Network Watcher and it will be recreated the next time it's required.

    Step 7: Raise a support ticket if the issue continues If the duplicate is gone but JIT still throws this error, there may be a stale lock or internal state issue on the backend. Raise a Technical support ticket with Azure Security / Defender for Cloud, include the error details you shared, your subscription ID, and the region (West Europe). The support team can clear any backend state causing this.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

  2. Venkatesan S 9,305 Reputation points Microsoft External Staff Moderator

    Hi Gregor Jus,

    Thanks for reaching out in Microsoft Q&A forum,

    Your JIT stopped working because Azure reports that you’ve already reached the Network Watcher limit in the westeurope region. Azure allows only one Network Watcher instance per region per subscription. When you clicked Request JIT + Check VM access, Azure tried to create a second Network Watcher in westeurope and got the NetworkWatcherCountLimitReached error, so JIT failed.

    In practice, this means:

    • A Network Watcher already exists (or was left in a partially created state) in westeurope for your subscription.
    • You cannot create another one; you must enable or re-use the existing Network Watcher for JIT to work.

    1. Confirm Network Watcher exists in westeurope

    In the Azure portal:

    1. Search for Network Watcher.
    2. On the Network watcher map, find westeurope.
    3. Check its status:
      • If it shows Enabled, you’re good JIT just needs this to be enabled.
      • If it shows Not configured, select it and click Enable for westeurope (this enables the existing watcher, not creates a new one).

    You should not try to create a new Network Watcher resource manually; that will again hit the limit.e4

    2. Ensure JIT is enabled for your VM

    In Microsoft Defender for Cloud:

    1. Go to Defender for Cloud > Environment settings (or Security policy).
    2. Select your subscription.
    3. Make sure Just-in-Time VM access is enabled.
    4. Go to Just-in-Time VM access and:
      • Confirm your VM is listed.
      • If not, click Add / Configure ports and define the ports (e.g., 22/3389) and time window.

    3. Try JIT again

    Once Network Watcher is enabled in westeurope and JIT is configured:

    1. Go to your VM > Just-in-Time VM access (or via Defender for Cloud).
    2. Click Request JIT + Check VM access again.
    3. The operation should now succeed and temporarily open the ports.

    4. If it still fails, check permissions and provider

    • Ensure you have Security Admin or Contributor permissions on the VM / subscription.
    • Ensure the Microsoft.Security resource provider is registered: 
       az provider show --namespace Microsoft.Security --query "registrationState"
      If it’s not Registered: 
       az provider register --namespace Microsoft.Security

    You didn’t change anything, but something else may have:

    An automation script, Terraform/Bicep/ARM template, or DevOps pipeline earlier enabled Network Watcher in westeurope.

    Microsoft Defender for Cloud / Security Center auto-enabled Network Watcher.

    A previous CLI/PowerShell command created the watcher, and now a repeat command (or different casing of the region name) is interpreted as a duplicate.

    The fix is not to create a new watcher, but to ensure the existing one is enabled and properly configured.

    Official Microsoft documentation

    • Network Watcher limits (1 instance per region per subscription):
    • Network Watcher overview and enabling:
    • Just-in-Time (JIT) VM access overview and configuration:
    • JIT access for managed applications (related JIT concept):

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Sign in to comment

1 answer

  1. Gregor Jus 0 Reputation points

    Hi both,

    Thank you for your replies, however, it was not so much of getting information "what this mean" and where to get information about it as I've done all that. I fully understand what it means - the issue here is more why did it suddenly stop working...

    It turns out the issue is only for newly crated / added users while the old ones work fine - for some reason they have sufficient permissions while the new users don't. So something must have changed on the Microsoft / Azure site.

    I have solved this by adding additional permissions for network watcher to the new users but it would be nice to know why this happened and when...

    Thanks,
    G

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer