Skip to main content

How to use Security Groups with M365 JIT Accounts

  • Updated

Overview

M365 Just-in-Time (JIT) Accounts can be configured to use security groups in addition to built-in privileged roles. When a Just-In-Time (JIT) account is activated using a Microsoft 365 JIT policy that contains security groups, the account is automatically made member of the specified security group(s) if they exist on the M365 domain. Once the JIT session ends—either by expiry or early disable—the account is removed from those groups.  By leveraging custom security groups, you can tailor JIT account permissions to better fit your organization's security and access control requirements.

 

Note: Please ensure that the QTech mobile app is updated to the latest version to access this feature.

 

Prerequisites

  • Must be Super or Primary role to be able to manage JIT policies

 

Defining Security Groups in a M365 JIT Policy

To define security groups, follow these steps:

  1. Navigate to Settings > Just-in-Time Accounts.


  2. You can either create a new M365 policy or update an existing one to include security groups.

Creating a New Policy with Custom Groups

  1. Click on + New Policy.


  2. Define the name, description, access, duration options, and privileged roles as needed.

  3. Next go to the Custom Security Groups section.


  4. Click on + Add Custom Group.

  5. Enter the names of the custom security groups.

    1. Separate multiple group names with line breaks.


  6. Click + Add to submit the groups.

  7. Click on the trash icon to remove any unwanted groups.


  8. Save the policy.

Updating an Existing M365 Policy to Add Custom Groups

  1. Locate and click Edit on the existing M365 policy you want to modify.


  2. In the policy form, navigate to the Custom Security Groups section.

  3. Click on + Add Custom Group.


  4. Enter the names of the custom security groups, using line breaks to separate multiple names.

  5. Click + Add to submit the groups.

  6. Use the trash icon to remove any unwanted groups.


  7. Save the updated policy.

Effect of Custom Security Groups on M365 JIT Accounts

  • Any JIT account enabled or created under this policy will automatically be added to the specified security groups, provided they exist in the M365 environment.

  • If a specified security group does not exist in M365 environment, it will be ignored, and the JIT account will still be created or enabled with any other roles or security groups defined in the policy.

Related articles

Comments

0 comments

Please sign in to leave a comment.