How to Implement Just-in-Time Access for Privileged Accounts

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Most organizations give a small number of IT staff permanent Domain Admin, Global Administrator, or cloud admin access. These accounts are always-on elevated access: if a credential is compromised, an attacker immediately has full administrative control.
Just-in-time access changes the model: the admin account has no standing permissions. When a task requires elevated access, the user requests it (with a justification), receives it for a defined window (1-8 hours), and the access is automatically revoked when the window expires. An attacker who compromises the account outside an active JIT window gets a non-privileged account.
Microsoft Entra Privileged Identity Management (PIM): Step-by-Step
Entra PIM is included in Azure AD P2 and Microsoft 365 E5/Business Premium plans. It implements JIT for Azure AD directory roles, Azure subscription roles, and Microsoft 365 roles.
Step 1: Identify current standing privileged assignments
# Install the Microsoft Graph module if not present
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "RoleManagement.Read.Directory"
# List all permanent Global Admin assignments (not JIT-eligible)
Get-MgRoleManagementDirectoryRoleAssignment |
Where-Object { $_.AssignmentType -eq 'Assigned' } |
Join-Object -MergeScript {
Get-MgDirectoryRoleDefinition -UnifiedRoleDefinitionId $_.RoleDefinitionId
} | Where-Object { $_.DisplayName -eq 'Global Administrator' } |
Select-Object PrincipalId, DirectoryScopeId
Step 2: Convert standing assignments to eligible assignments
In the Entra portal (entra.microsoft.com):
- Navigate to Identity Governance > Privileged Identity Management > Azure AD Roles
- Select the role to configure (e.g., Global Administrator)
- Under 'Assignments', find each permanent (Active) assignment
- Click the assignment > Change type > Eligible
- Set the eligible assignment duration (recommend 12 months, requiring annual renewal review)
The user now has no standing Global Admin access. When they need it, they activate it through PIM.
Step 3: Configure activation requirements
For each role under Settings:
- Activation maximum duration: 4-8 hours for standard admin tasks; 1 hour for highly privileged roles (Global Admin, Privileged Role Admin)
- Require justification: Yes: users must provide a business justification for each activation
- Require approval: Yes for highly privileged roles; optional for lower-risk roles (speeds up workflows for frequently-used access)
- Require MFA: Yes: always require MFA re-authentication at activation, even if MFA was already satisfied earlier in the session
- Require ticket information: Optional: useful in organizations with ITSM tools (require a ServiceNow ticket number)
Step 4: Test the activation workflow
As a user with an eligible assignment:
- Navigate to entra.microsoft.com > My roles
- Click 'Activate' next to the eligible role
- Provide justification, complete MFA, wait for approval if required
- Verify access is granted for the configured window
- Verify the role appears in the Audit log with the justification text
AWS JIT Access with Temporary Role Assumption
AWS implements JIT through IAM role assumption with temporary credentials. Instead of assigning permanent Admin permissions to IAM users, users assume a privileged role for a temporary session.
Step 1: Create the privileged role
// Create an IAM role with an AdministratorAccess policy and a trust policy
// that allows specific IAM users to assume it
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:user/alice",
"arn:aws:iam::123456789012:user/bob"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true" // Require MFA to assume the role
},
"NumericLessThan": {
"aws:MultiFactorAuthAge": "3600" // MFA must have been used within the last hour
}
}
}]
}
Step 2: Grant users the permission to assume the role (only)
The IAM users themselves have minimal permissions: only the ability to assume the privileged role:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/PlatformAdminRole"
}]
}
Step 3: Assume the role to get temporary credentials
# Assume the admin role with a 1-hour session (3600 seconds)
# Note: max duration is 12 hours, configurable per role
aws sts assume-role \
--role-arn "arn:aws:iam::123456789012:role/PlatformAdminRole" \
--role-session-name "alice-maintenance-$(date +%Y%m%d%H%M%S)" \
--duration-seconds 3600 \
--serial-number arn:aws:iam::123456789012:mfa/alice \
--token-code 123456 # MFA token code
The response contains temporary AccessKeyId, SecretAccessKey, and SessionToken valid for exactly 3600 seconds. When the session expires, the credentials stop working: no manual revocation required.
Step 4: Require session name to include justification
Configure your IAM policy to require that role session names follow a naming convention that includes a ticket number:
"Condition": {
"StringLike": {
"sts:RoleSessionName": "*-TICKET-*" // Require ticket reference in session name
}
}
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Monitoring and Break-Glass Access
Monitoring JIT access:
All JIT activations should be logged and monitored:
/* Splunk: Azure PIM activation audit */
index=azure_audit OperationName="Add eligible member to role in PIM completed"
| table TimeGenerated, UserPrincipalName, TargetRole, Justification, Duration
| sort -TimeGenerated
/* Alert: After-hours PIM activation (potential credential compromise) */
index=azure_audit OperationName="Add eligible member to role in PIM completed"
| eval hour = strftime(_time, "%H")
| where hour < 7 OR hour > 19 /* Outside normal business hours */
| table TimeGenerated, UserPrincipalName, TargetRole, Justification
Break-glass accounts:
JIT access requires the authentication system to be operational: if Entra PIM is unavailable, nobody can activate privileged roles. Every JIT implementation needs at least one break-glass account: a permanent Global Admin account (for Azure) or an IAM user with AdminstratorAccess (for AWS) that is:
- Stored in a sealed physical envelope in a secure location (not a password manager)
- Protected with MFA via a hardware key (not a software authenticator that requires a functional device)
- Monitored with an alert that fires any time the account is used
- Tested semi-annually to verify the credentials still work
The break-glass account is the last resort: its use should trigger immediate investigation of whether normal access paths are working and why the break-glass was needed.
The bottom line
Just-in-time access replaces standing admin permissions with time-limited, request-based elevation: using Entra Privileged Identity Management for Microsoft 365 and Azure environments, and IAM role assumption with temporary STS credentials for AWS. Configure PIM eligible assignments with justification requirements, MFA at activation, and 4-8 hour maximum windows. For AWS, scope the trust policy to require MFA and set session duration to match task requirements. Maintain one break-glass account per environment with hardware-key MFA and an alert on any use.
Frequently asked questions
What is just-in-time privileged access?
Just-in-time (JIT) privileged access eliminates standing administrative permissions: instead of permanent admin access, users request elevated permissions when needed, receive them for a defined window (typically 1-8 hours), and access is automatically revoked when the window expires. If a privileged account is compromised outside an active JIT window, the attacker gets only the account's baseline (non-elevated) permissions.
How do I implement just-in-time access in Microsoft Azure?
Use Microsoft Entra Privileged Identity Management (PIM), included in Azure AD P2 and Microsoft 365 E5/Business Premium. Convert standing role assignments to 'eligible' assignments in the PIM portal. Configure each role's activation settings to require MFA, justification, and optionally approval. Users activate their eligible roles on demand and receive time-limited access that auto-expires.
How do I implement just-in-time access for AWS IAM roles?
For AWS, JIT access uses IAM role assumption with time-limited STS credentials. The pattern: users have a base IAM identity with no data access permissions; a privileged role exists with a trust policy restricting assumption to specific users with MFA (condition: aws:MultiFactorAuthPresent = true); users run 'aws sts assume-role' to get temporary credentials valid for a defined session duration (set MaxSessionDuration to 1-8 hours). For a more complete JIT workflow, use AWS IAM Identity Center (formerly SSO) with permission sets that have time-limited access, or third-party tools like CyberArk, HashiCorp Vault, or Teleport for access request and approval workflows.
What is a break-glass account and when should you use one?
A break-glass account is an emergency admin account with permanent standing access, used only when JIT access mechanisms are unavailable (identity provider outage, PIM service disruption, MFA infrastructure failure). Configuration requirements: one account per cloud environment; protected by hardware FIDO2 MFA key stored in a physical safe; credentials sealed in an envelope or vault with a documented break-glass procedure; any activation generates an immediate alert to the security team and CISO. After each use, rotate the password, review the audit log of all actions taken, and schedule a post-incident review. Test the break-glass process quarterly in a non-production environment.
What is the difference between JIT access and PAM (Privileged Access Management)?
PAM is the broader discipline of securing, controlling, and auditing privileged accounts: it includes password vaulting, session recording, credential injection, and access governance. JIT access is one capability within PAM that eliminates standing privileges. Full PAM platforms (CyberArk, BeyondTrust, Delinea) provide session recording and keystroke logging alongside JIT workflows, which is required for compliance frameworks like PCI DSS and SOX. Entra PIM and AWS IAM Identity Center provide JIT access capabilities without full session recording. Organizations with compliance requirements for privileged session audit trails typically need a dedicated PAM platform rather than cloud-native JIT tools alone.
How do you scope and right-size JIT access windows for different administrative tasks?
Access window duration should match the longest legitimate task requiring that privilege level, not the longest conceivable task. Start by cataloging your most common administrative activities: a routine server patch might take 30-45 minutes, a database schema migration 2-4 hours, a disaster recovery exercise a full business day. Set maximum windows based on these real workflows rather than arbitrary defaults. A tiered approach works well in practice: Tier 1 highly privileged roles (Global Administrator, Domain Admin, AWS root equivalent) get a 1-4 hour maximum with required approval and MFA; Tier 2 administrative roles (Exchange Administrator, resource group owner, database administrator) get 4-8 hours with MFA and justification but no approval gate; Tier 3 read-heavy roles (security reader, monitoring operator) get up to 8 hours with justification only. Review activation logs monthly to identify patterns: if 80% of Global Admin activations are closed within 45 minutes, your 8-hour window is wider than operational need requires. For Entra PIM, the activation maximum duration is configurable per role in the role settings blade. For AWS, it is the MaxSessionDuration field on the IAM role resource. Tighten windows whenever audit data shows activations are routinely shorter than the configured maximum.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
