Key Points
How to Enable JIT Access for Azure Admin Roles
- Set Up PIM in Entra Admin Center: Enable PIM, assign roles as Eligible, configure activation duration, require MFA and approval, and define the scope for controlled privilege management.
- Role Activation Policies: Define MFA, justification, approval requirements, activation duration, and notification settings — with all changes auditable in Entra logs for accountability.
- PowerShell Integration for JIT Access: Use Microsoft Graph or Azure AD PowerShell module to automate time-bound role assignments, allowing for integration with ticketing or service request workflows.
- Local Enforcement via Registry and GPO: Configure Group Policy and Registry settings to enforce least-privilege principles, deny unnecessary access, and require UAC prompts for elevated tasks.
- Auditing and Alerting Practices: Use audit logs and SIEM tools to monitor role activations, detect suspicious privilege use, and alert on unusual JIT activity or failed MFA attempts.
Just-in-Time (JIT) administrative access in Azure AD gives you the ability to grant elevated privileges to perform administrative tasks for a limited duration. This is useful for internal IT teams and MSPs as it limits the risk of over-privileged accounts being used in cyberattacks.
This guide discusses Azure JIT administrative access and provides steps for implementing time-bound administrative access through Microsoft Entra ID Privileged Identity Management (PIM), using the Entra Admin Center, PowerShell, as well as using the Registry or Group Policy for enforcement.
Key goals of Azure JIT access
Persistent admin access, the use of user accounts with permanent administrative privileges, is a frequent vector for attacks. Reducing the number of these privileged attacks reduces the attack surface area as there are fewer accounts that could have their credentials leaked or sessions hijacked, making your IT infrastructure more secure and compliant.
Time-limited elevation protects against this, granting users administrative privileges that are only gained after approval and multifactor authentication for authorization. When the task is complete, the user’s administrative privileges expire, meaning that their account cannot be used in an attack or for any other unauthorized administrative activity.
The goals when configuring Azure JIT access using Microsoft Entra Privileged Identity Management should include minimizing standing admin rights, requiring justification and approval with MFA before elevation, audit logging of all administrative activity, and the automatic revocation of administrative rights. JIT access should also be used alongside other security best practices like conditional access and alerting.
Prerequisites for using Microsoft Entra ID Privileged Identity Management
To use PIM, you’ll need:
- An Azure AD Premium P2 license (required for PIM)
- Global Administrator or Privileged Role Administrator rights to configure PIM
- Microsoft Entra ID Admin Center or PowerShell for configuration
- Optionally, a SIEM or RMM platform for monitoring, alerting, and configuration deployment
- Windows endpoints enrolled in Intune or monitored via RMM for policy enforcement
Enabling PIM and assigning eligible roles in Microsoft Entra ID Admin Center
To begin, you need to enable PIM and assign roles in the Microsoft Entra ID Admin Center:
- Go to Microsoft Entra Admin Center.
- Navigate to Identity Governance > Privileged Identity Management.
- Select Microsoft Entra roles.
- Choose a role (e.g., Global Administrator or Exchange Administrator).
- Click Add assignments.
- Set the user as “Eligible” for time-limited privileges.
- Define scope (e.g., tenant-wide or specific resource).
- Configure role settings separately to define activation duration (e.g., 1–24 hours).
- Enable Require approval and Require MFA as needed during activation settings.
Users must activate roles explicitly, and their access expires automatically. It is recommended to require approval and MFA for the best security.
Configuring role activation policies
Within PIM, you can configure the policies that govern how roles are activated. Policies include:
- Whether MFA is required
- Whether justification is required
- Whether approval is required (you can additionally specify which users can perform approvals)
- Activation duration (e.g., 1–8 hours)
- Notification settings
These can be configured in the Entra Admin Center by selecting a role, then navigating to Settings > Role settings
It is common practice to require ticket numbers or case IDs as justification fields. All configuration changes are auditable in the Entra logs.
Using PowerShell to manage JIT assignments
You can also use the Microsoft Graph or Azure AD PowerShell module to assign roles programmatically, ideal for integration with service requests or automated ticket workflows that grant scoped access.
- To do this, connect to Microsoft Graph with the command:
Connect-MgGraph -Scopes “RoleManagement.ReadWrite.Directory”
- Then, list roles and role IDs:
Get-MgRoleManagementDirectoryRoleDefinition
- To assign an eligible role to a user, run the following:
$params = @{
Action = “adminAssign”
PrincipalId = $userId
RoleDefinitionId = $roleId
DirectoryScopeId = “/”
Justification = “Granting temporary access”
ScheduleInfo = @{
StartDateTime = (Get-Date).ToUniversalTime().ToString(“yyyy-MM-ddTHH:mm:ssZ”)
Expiration = @{
Type = “AfterDuration”
Duration = “PT4H” # ISO 8601 format for 4 hours
}
}
}
New-MgRoleManagementDirectoryRoleAssignmentScheduleRequest -BodyParameter $params
- Manually activate the role manually via Microsoft Entra Portal (optional).
Registry and Group Policy enforcement for local policy alignment
Although JIT is cloud-based, local systems should be configured for a least-privilege posture and implement auditing.
For example, you can use the Group Policy Object (GPO) located at Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment to Deny access to this computer from the network for specified users.
The Windows Registry can also be used to enforce hardened defaults for elevation behavior, such as requiring UAC prompts. For example, setting “ConsentPromptBehaviorAdmin”=dword:00000001 and “EnableLUA”=dword:00000001 under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ensures that administrative actions always prompt for consent.
While this configuration strengthens your local security posture, they don’t directly enforce MFA or prevent it from being bypassed. It’s always best to modify MFA enforcement behavior via identity managers like Microsoft Entra ID.
Auditing and alerting on JIT activity
Audit logs should be used to track role activation and access behavior.
Below is an example PowerShell audit query for generating log entries:
Search-UnifiedAuditLog -StartDate (Get-Date).AddHours(-24) -EndDate (Get-Date) -Operations “Add member to role” | Select-Object CreationDate, UserIds, Operations, AuditData
Event ID 4670 (indicating permissions on an object were changed) and 4688 (new process creation) should also be of particular interest when logging administrative activity.
You can then send these logs to your RMM or SIEM for alerting and reporting.
You should use log analytics or SIEM to alert on frequent activations, role elevation outside expected hours, and failed/repeated elevation requests.
Additional considerations for JIT and PIM
When configuring Azure JIT access in PIM, you should also consider your workflows and user-roles: users with the ability to approve elevation requests should be chosen carefully, and fully understand the implications of each request, while custom roles with limited scopes should be created, avoiding global administrative accounts, and recognizing the principle of least privilege.
Roles should also be regularly reviewed and those that are no longer required removed, and the cleaning up of roles and assignments made part of staff onboarding and offboarding procedures.
Troubleshooting Azure Just-in-Time access
If your Azure JIT implementation is not functioning as expected, be sure to check for the following issues:
- Role is not assignable: Ensure user is not already active or assigned via group
- Activation denied: Check for missing MFA or justification field
- Graph API errors: Confirm required permissions and scope during token request
- Local users can bypass restrictions: Verify GPO and registry restrictions are in place to prevent elevation via local admin accounts
NinjaOne RMM provides enhanced visibility and control over your entire IT infrastructure and endpoints
Microsoft Entra ID Privileged Identity Management provides a complete JIT administrative elevation solution that is enforced at the cloud level. The security offered by this functionality can be extended using Remote Monitoring and Management (RMM) by NinjaOne to get full insights into all of your devices, services, and user activity in one place, and automate the deployment of configurations across all devices.
NinjaOne’s MSP and UEM platform provides tools for script enforcement, pushing registry or GPO policies, and supports monitoring log files and Windows Events for full auditing capability (including privilege escalations). It also includes reporting and compliance logging so you can correlate PIM activation with endpoint activity, ensuring administrative escalation is authorized and used responsibly.
NinjaOne also includes automation tools that can automatically disable user accounts if suspicious activity is detected, isolate affected systems, and escalate tickets to the relevant stakeholder or run remediation scripts — greatly enhancing your ability to automate security incident response.
