Introduction

Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.

Each JIT account is created for an individual, which creates an audit log that can be easily tracked to that person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.

CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard supports JIT creation in Active Directory, local machine, and Entra ID. Please see the bottom of this KB for links on how to implement these features.

In this article, we'll walk you through the steps of creating Entra ID JIT accounts.

Prerequisites

• The CyberQP Enterprise Application in your Azure tenant has assignments to both the Privileged Authentication Administrator role and the Privileged Role Administrator role according to - How to Connect an Azure/Entra AD / M365 tenant to a Quickpass Customer
  
• Just-in-Time feature has been enabled in CyberQP tenant settings according to - Enabling Just-in-time privileged accounts feature for QGuard
• At least one M365 JIT Policy has been created
• Active QGuard Pro subscription
• Signed in with a Primary or Super role technician user, or a technician user that is part of a CyberQP Technician Group granted access to a JIT Policy

Creating an Entra ID JIT account from the Dashboard

1. Navigate to a customer
2. Click Just-in-time Accounts in the sidebar
3. Click Activate JIT Account
4. Click Microsoft 365
5. Adjust the Username if needed (NOTE: Username edit is only available during initial creation)
6. Set Duration the account should be enabled
7. Provide a Reason for the creation of the JIT account (NOTE: Currently, entry of an URL in the reason field is not supported)
8. Select the desired JIT Policy to use
9. Click Activate

Setting up MFA/OTP for M365/Azure/Entra JIT accounts.

Once you attempt to sign in to the Azure/Entra/M365 environment, Microsoft's policy to force MFA for all accounts may require you to register your MFA code.  You can use the MS Auth application OR store the OTP secret key right within the Dashboard account.

 

1. If you want to use the MS Authenticator App, follow the prompts on this screen:
   
2. If you would like to store the MFA code right within the CyberQP Dashboard, please click the "I want to use a different authenticator app" link.
3. Click NEXT on the prompt to setup the MFA app.
4. Click "Can't scan image" just below the QR Code
   
5. Copy the Secret key value
   
    
6. On the CyberQP Dashboard display of the JIT account Details click the Setup OTP button
   
7. Paste the value from the MS MFA setup screen and click save.
8. The 6 digit OTP code will be displayed with the countdown in small text just below it.
   
9. Copy this value and paste it back into the MS MFA Setup screen and click NEXT.
10. Follow any additional prompts to setup secondary MFA options if required.

Re-enable a Previously Created Entra ID JIT Account from the Dashboard

1. Open a Customer
2. Click Just-in-time Accounts in the sidebar
3. Locate the JIT account that you wish to re-enable
4. Click the three-dot menu > Enable Account
5. Provide a Reason and set the Duration
   1. NOTE: If a different JIT Policy is desired, click the Pencil Icon inside the Select JIT Policy box and select the desired JIT Policy

If you have setup the MS OTP code instructions (above) the OTP code will be displayed when the JIT is activated.

Just-In-Time (JIT) Alert Configuration

Background

Previously, all users with Primary or Super roles automatically received all Just-In-Time (JIT) notifications.
With this update, JIT alerts can now be customized and controlled directly within the Alerts settings.

How to Configure JIT Alerts

1. Log in to the CyberQP Dashboard
2. Navigate to:
   • Alerts menu
3. Locate the new section:
   • Just-In-Time Accounts
4. You will see the following alert types:
   • JIT Account Created
   • JIT Account Enabled
   • JIT Account Failed to Disable
5. By default, all alert toggles are OFF
6. Enable the desired alert types by toggling them ON
   • You may select:
     • One alert type
     • Multiple alert types
     • All alert types

Alert Behavior

• Only enabled (ON) alert types will trigger email notifications
• If a specific alert type is OFF, no notifications will be sent for that event
• Notifications are sent only to subscribed email recipients

Important Notes

• Alerts must be explicitly enabled in the Alerts menu
• Ensure at least one alert type is enabled to receive JIT-related notifications

Other Articles

• How To - Create Just-in-Time Accounts (Active Directory)
• How To - Create Local Machine Just-In-Time Accounts (Local)
• Answering Just-In-Time FAQ – CyberQP (getquickpass.com)