Intro
Just-In-Time (JIT) privileged accounts provide an added layer of security by restricting access to critical resources only when necessary. CyberQP enables you to configure JIT accounts, ensuring that your organization can better manage and control privileged access. This article will guide you through the steps to enable JIT accounts in your CyberQP environment.
Prerequisites
- You need to have Primary or Super Role
- You must have an active QGuard subscription
Feature Enhancements
Create and edit Multiple Policies
You can now create, edit, and delete multiple policies for each directory source (Active Directory, Entra ID , and Local System Directories).
All privileges will be removed when the JIT account expired with CyberQP, this now includes ANY other privileges that someone may have added after the JIT account was created on Active Directory, Entra ID or, Local System Directories.
Restrict Policy to specific customer(s).
You can now modify or create new Just in Time Policies to be restricted to a Customer/Set of Customers.
Now you can restrict which Customer(s) you wish to limit the Just in Time Policy to. An example of this is when special Security Groups are required to manage LOB applications for your customer. You may want to limit a Just in Time Policy to just those specific Customer(s) where that LOB application is required.
Steps to Enable JIT Privileged Accounts:
Enable Just In Time
- Access the QGuard Settings Page
- Log in to your CyberQP account with super or primary role permissions.
- Navigate to the "Settings" in the side bar within the dashboard and hit the drop down.
- Enable JIT Accounts:
- Locate the "Just-in-time Accounts" tab and click on it
- Click on the "Enable" button to initiate the configuration process.
-
Option to Enforce .onmicrosoft Domain for M365 JIT Accounts
If you are using M365 JIT accounts, then you can enforce the use of the .onmicrosoft domain for to ensure separation from daily driver accounts and avoid unintended bypass of conditional access policies tied to custom domains. This can also help avoid licensing costs.
Once enabled, all new M365 JIT accounts created via Dashboard, QTech App, or Windows App will use the .onmicrosoft domain.Sources
-
Configure Directory Sources:
- In the next step, you will need to select the directory sources for which you want to configure JIT accounts. You can choose from AD (Active Directory), Azure AD (Azure Active Directory), and Local.
Feature Enhancement Update - July 2024: You will now be able to create multiple policies using an already utilized directory source.
Just in Time Policy Naming
- In the next step, you will need to select the directory sources for which you want to configure JIT accounts. You can choose from AD (Active Directory), Azure AD (Azure Active Directory), and Local.
-
Specify the Name and Description of your policy
Give your policy a name and description. This name will be seen and searchable by your technicians when they go to create or re-enable a JIT account. We suggest including the name of the technical task this policy can be used to achieve. (EG: “Backup Exchange Mailboxes”)Technician Access
- Define Access for Your Team
Determine who on your team should have access to JIT accounts. You have two options:- Restrict access to super and primary roles only.
- Only a Primary or Super Dashboard Login Role will see this policy. Use this for testing or for very high level permission access (Domain/Enterprise/Schema Admin, Global Admin/Exchange Admin, etc.)
- Only a Primary or Super Dashboard Login Role will see this policy. Use this for testing or for very high level permission access (Domain/Enterprise/Schema Admin, Global Admin/Exchange Admin, etc.)
-
Select specific groups of technicians who can create and manage JIT accounts using the duration and privileges listed in the policy.
You may also create a separate policy to segment technicians with different privilege levels for the selected directory source.
NOTE: Primary and Super role login users will always have access. If restricted to specific login groups is chosen, the selected Login Groups will be in ADDITION to Super and Primary roles.
NOTE: The HelpDesk role can be added to a Login Group, however, helpdesk roles do not get access to JIT-privileged accounts. Only engineers, managers, and admins can access JIT accounts
NOTE: Selected technicians will only gain access to create JIT accounts for customers they have access to.
Customer Access
- Restrict access to super and primary roles only.
- Specify Customer Access
Specify which Customer(s) you wish this Just in Time Policy to be active for. The JIT Policy will only be visible for Customers in the Group you have selected. You have 2 Options.-
All Customers Technician has access to
If the technician is assigned to a Technician Group (see step 6) that has access to this Just in Time Policy AND they have access to a Customer Group, this Policy will be available for selection during the Creation or Re-Enable. -
Restrict to Specific Customer Group (you must have the Customer Group created ahead of time)
If the Customer where a Just in Time Policy is being Created or Re-enabled is selected, the Just in Time Policy will ONLY be available at that customer.
- Click the "Add/Edit Group" button
- Select (via checkbox) the Customer Groups that you DO want this Just in Time Policy to be visible for. If the Technician is on a Customer screen that is NOT part of this group, they will not be able to select this Just in Time Policy.
NOTE: Selected technicians will only gain access to create JIT accounts for customers they have access to. - Click Select once completed.
-
The List of Customer Groups will be listed just below the Add/Edit Customer Group screen.
JIT Active Duration
-
- Specify allowable JIT account durations:
- Specify the durations your technicians are allowed to use when creating or re-enabling a JIT account for the specific policy. (you may also later create a second policy if you want to restrict a second set to more or less “Durations”)
Make sure the CyberQP enterprise app on your Azure AD instance has assignments to either Global Administrator or both Privileged Authentication Administrator and Privileged Role Administrator(NEW) roles
- Specify the durations your technicians are allowed to use when creating or re-enabling a JIT account for the specific policy. (you may also later create a second policy if you want to restrict a second set to more or less “Durations”)
Access Groups
- Select Privileged Security Groups/Roles:
- For each selected directory source, choose the privileged security groups/Role that you want to make available for your technicians to use for creating JIT accounts.
NOTE: Before July 2024, CyberQP only allowed a single privilege to be selected and applied to the JIT account during creation. Now, we will apply all privileges set on the policy to the JIT account. If you want only one privilege to be used on the JIT policy, please select only one privilege.
- Save Your Configuration:
- After defining the directory sources and access permissions, click the "Save" button to apply your JIT account settings.
- If configuration changes are needed, you may edit each policy using the pencil icon, or delete and re-create the desired policy.
Use this to do things like:
- Update an existing policy to add or remove privileges and/or durations without disabling the JIT feature.
- Delete / Turn off a specific policy for a specific directory source.
- Create / Enable a specific policy for a directory source, should it not already be enabled.
Congratulations! You have successfully enabled JIT accounts in QGuard. The selected technicians will now have the ability to see the "Just-In-Time Accounts" menu within each customer and utilize JIT accounts as needed.
Just-In-Time (JIT) Alert Configuration
Background
Previously, all users with Primary or Super roles automatically received all Just-In-Time (JIT) notifications.
With this update, JIT alerts can now be customized and controlled directly within the Alerts settings.
How to Configure JIT Alerts
- Log in to the CyberQP Dashboard
- Navigate to:
- Alerts menu
- Locate the new section:
- Just-In-Time Accounts
- You will see the following alert types:
- JIT Account Created
- JIT Account Enabled
- JIT Account Failed to Disable
- By default, all alert toggles are OFF
- Enable the desired alert types by toggling them ON
- You may select:
- One alert type
- Multiple alert types
- All alert types
- You may select:
Alert Behavior
- Only enabled (ON) alert types will trigger email notifications
- If a specific alert type is OFF, no notifications will be sent for that event
- Notifications are sent only to subscribed email recipients
Important Notes
- Alerts must be explicitly enabled in the Alerts menu
- Ensure at least one alert type is enabled to receive JIT-related notifications
Next
Comments
1 comment
Multi-Policy JIT has been enabled. Please review the updated KB.
Please sign in to leave a comment.