Introduction
There is a known issue where the Azure AD JIT account does not get removed from the privileged role at expiry. The account still gets disabled and its password is rotated. Our team is working on a fix and we plan to release a fix early next week.
Just-in-time (JIT) accounts are a feature that temporarily enables a privileged account. With JIT accounts, you can be assured that they will be automatically disabled, removed from the privileged security group, and their passwords rotated upon expiry, making them highly secure.
Each JIT account is created for an individual technician so the audit log can be easily tracked to one person. This also helps ensure compliance by avoiding shared credentials and maintaining the principle of no standing privileges.
CyberQP provides the convenience of directly creating and managing your JIT accounts from the dashboard. As of the latest update to this KB article, the dashboard now supports Active Directory accounts, Azure AD Accounts (Early Access). and Local Accounts (Early Access).
If Just in Time access was previously enabled for Active Directory only, the Settings page configuration will need to be disabled and re-enabled with the new Source Types selected.
In this article, we'll walk you through the steps of setting up and using Azure AD JIT accounts.
Prerequisites
-
Make sure the CyberQP enterprise app on your Azure AD instance has assignments to either Global Administrator or both Privileged Authentication Administrator and Privileged Role Administrator(NEW) roles
https://support.getquickpass.com/hc/en-us/articles/360039678373-How-to-Connect-a-Azure-Office-365-tenant-to-Quickpass-Customer
- Active QGuard subscription
- Either possess the primary or super role or be a part of a CyberQP group that has access to the Just-in-time feature. Please follow the instructions in this article to enable the JIT feature first
Enabling Just-in-time privileged accounts feature for QGuard
Creating a new Azure AD JIT account from the dashboard
- Navigate on the Quickpass Dashboard to a customer that has the CyberQP enterprise app for Office 365 connected
NOTE: Just in Time Accounts for Local and Azure can only be created from the Dashboard. JIT Accounts CAN be re-enabled and used for Credential injection from the Desktop App. - Click Just-in-time Accounts in the sidebar
- Click Create Account
- Adjust the username, and duration if needed
- Provide a reason for the creation of the JIT account
- Select the directory source type Office 365
- Specify a Privileged Azure/Entra Role
- Click the now-activated Create Account button
Re-enabling a previously used JIT Account from the dashboard
- Navigate to a customer that has the CyberQP enterprise app for Office 365 connected
- Click Just-in-time Accounts in the sidebar
- Locate the JIT Account that you wish to re-enable > Click the three-dot menu > "Enable Account"
- Provide a reason and extend or shorten the duration if needed
- Click on enable
Re-enabling a previously created Azure AD JIT Account from the desktop app
- After logging into the Desktop App, selecting the Customer and the Just in Time Accounts section any previously created JIT account for this Login for this customer will be displayed.
- The status will show the current status of the JIT Account. If this shows Disabled, this means that the previous usage time of the account have expired. This account will need to be "re-enabled" in order to use this moving forward.
- To Activate/Re-enable the previously created JIT account select the 3 dot menu beside the account.
- Selecting the Enable Account will show you this screen.
- You must fill in the Reasons for Enabling and select a duration that is appropriate and then click Enable.
- The JIT Accounts list will update once the account has been Enabled again.
- Selecting the Enable Account will show you this screen.
NOTE: If you plan to use Entra ID JIT with Global Administrator to manage Azure resources, like Subscriptions, reference this Microsoft article to grant the Entra ID JIT the User Access Administrator role in Azure.
- Microsoft reference article - Elevate access to manage all Azure subscriptions and management groups
Comments
0 comments
Please sign in to leave a comment.