How To - Create AD Just-in-Time Accounts (Active Directory)

Introduction

Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.

Each JIT account is created for an individual, which creates an audit log that can be easily tracked to that person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.

CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard supports JIT creation in Active Directory accounts, local machine, and Entra ID. Please see the bottom of this KB to find links on how to implement these features.

 

In this article, we'll walk you through the steps of setting up and using Active Directory sourced JIT accounts.

Prerequisite

• Machines must have the latest CyberQP agent installed
• Just-in-time feature has been enabled in tenant settings according to - Enabling Just-in-time privileged accounts feature for QGuard
• Active QGuard Pro subscription
• Signed in with a Primary or Super role technician user, or a technician user that is part of a CyberQP Technician Group granted access to a JIT Policy

Creating an AD JIT account from the Dashboard

1. Navigate to a customer
2. Click Just-in-time Accounts in the sidebar
3. Click Activate JIT Account
4. Click Active Directory
5. Adjust the Username if needed (NOTE: Username edit is only available during initial creation)
6. Set Duration the account should be enabled
7. Provide a Reason for the creation of the JIT account (NOTE: Currently, entry of an URL in the reason field is not supported)
8. Select the desired JIT Policy to use
9. Click Activate

Re-enable a Previously AD Created JIT Account from the Dashboard

1. Open a Customer
2. Click Just-in-time Accounts in the sidebar
3. Locate the JIT account that you wish to re-enable
4. Click the three-dot menu > Enable Account
5. Provide a Reason and set the Duration
   1. NOTE: If a different JIT Policy is desired, click the Pencil Icon inside the Select JIT Policy box and select the desired JIT Policy

Just-In-Time (JIT) Alert Configuration

Background

Previously, all users with Primary or Super roles automatically received all Just-In-Time (JIT) notifications.
With this update, JIT alerts can now be customized and controlled directly within the Alerts settings.

How to Configure JIT Alerts

1. Log in to the CyberQP Dashboard
2. Navigate to:
   • Alerts menu
3. Locate the new section:
   • Just-In-Time Accounts
4. You will see the following alert types:
   • JIT Account Created
   • JIT Account Enabled
   • JIT Account Failed to Disable
5. By default, all alert toggles are OFF
6. Enable the desired alert types by toggling them ON
   • You may select:
     • One alert type
     • Multiple alert types
     • All alert types

Alert Behavior

• Only enabled (ON) alert types will trigger email notifications
• If a specific alert type is OFF, no notifications will be sent for that event
• Notifications are sent only to subscribed email recipients

Important Notes

• Alerts must be explicitly enabled in the Alerts menu
• Ensure at least one alert type is enabled to receive JIT-related notifications
   

Other Articles

• How To - Create Entra ID Just-in-Time Accounts (M365)
• How To - Create Local Machine Just-In-Time Accounts (Local)
• Answering Just-In-Time FAQ – CyberQP (getquickpass.com)