Configuring Just-In-Time Administration for On-Premises Domain Admin and Enterprise Admin Accounts Using Azure and Microsoft Entra Privileged Identity Management
Traditional Active Directory Environments commonly assign Permanent Membership to Privileged Groups such as Domain Admins and Enterprise Admins. This Long Standing Privilege Model represents one of the Largest Security Risks in Enterprise Infrastructure. If a Privileged Credential is compromised, an Attacker can Gain Full Control of the Domain or the Entire Forest.
Modern Security Architecture eliminates Permanent Administrative Privileges and replaces them with Just In -Time Elevation. Just In -Time Administration ensures that Privileged Permissions are Granted only when needed and Automatically removed after a Short Duration.
Microsoft Entra Privileged Identity Management provides a Modern method to Implement JIT Privilege Elevation for both Azure Roles and on premises Active Directory Roles. By Integrating Entra ID with Active Directory through Entra ID Connect and enabling Privileged Access Groups, Organizations can Control Membership of Highly Privileged on Premises Security Groups such as Domain Admins and Enterprise Admins using Time Limited Elevation.
This article explains how to configure JIT Administration for On Premises High Privileged Accounts using Microsoft Entra ID and Privileged Identity Management without using Microsoft Identity Manager.
1. Architecture Overview
The solution relies on hybrid identity integration between Active Directory and Microsoft Entra ID.
The Architecture includes the following Components:
Active Directory Domain Services
Microsoft Entra ID Tenant
Microsoft Entra ID Connect Synchronization
Microsoft Entra Privileged Identity Management
Privileged Access Groups
Privileged Access Workstations
High Privilege Active Directory Groups such as Domain Admins and Enterprise Admins are controlled through Synchronized Groups that are managed through Entra ID PIM.
2. Administrators request Temporary Membership in Privileged Groups through Microsoft Entra Privileged Identity Management. The request requires Justification and Multi Factor Authentication, and if approval is required, the request Must be Approved before Activation. Once Approved, Temporary Membership is Granted for a Defined Period and Automatically Revoked after the Expiration Time.
Requirements:
Before implementing this Architecture, Several Prerequisites must be met.
Active Directory Domain Functional Level should be Windows Server 2016 or Higher.
Microsoft Entra ID P2 Licensing is required for Privileged Identity Management.
Microsoft Entra ID Connect must be deployed.
Hybrid Identity Synchronization between Active Directory and Entra ID must be Operational.
Privileged Administrative Accounts must be Separated from User Accounts.
Multi Factor Authentication must be Enforced for Privileged Operations.
3. Recommended Privileged Account Design
Each administrator should have two identities.
Standard user account used for normal daily work.
Privileged administrative account used only for administrative tasks.
Example Design:
User account: john.doe
Administrative Account: john.doe.admin
The Administrative Account will be used to request JIT Access to Privileged Roles.
4. Create Privileged Access Groups
Privileged Access Groups will Control Membership of Active Directory High Privilege Groups.
Create the following Groups in Active Directory.
JIT Domain Admins
JIT Enterprise Admins
These Groups will not contain Permanent Members.
Instead, they will be Synchronized to Entra ID and Controlled through PIM.
Example PowerShell commands:
New-ADGroup -Name "JIT-DomainAdmins" -GroupScope Global -GroupCategory Security -Path "OU=PrivilegedGroups,DC=corp,DC=local"
New-ADGroup -Name "JIT-EnterpriseAdmins" -GroupScope Global -GroupCategory Security -Path "OU=PrivilegedGroups,DC=corp,DC=local"
Add these groups as members of the privileged groups.
Add-ADGroupMember "Domain Admins" "JIT-DomainAdmins"
Add-ADGroupMember "Enterprise Admins" "JIT-EnterpriseAdmins"
At this stage the JIT Groups are Empty but will Inherit the Privileges of Domain Admins and Enterprise Admins when Members are Added.
5. Synchronize Groups with Microsoft Entra ID
Ensure that Microsoft Entra ID Connect Synchronizes these Groups to Entra ID.
Verify Synchronization:
Open Entra ID Portal
Navigate to Groups
Confirm that the Following Groups Appear:
JIT Domain Admins
JIT Enterprise Admins
These Groups will be used as Privileged Access Groups.
6. Enable Privileged Identity Management
Enable Privileged Identity Management in Microsoft Entra ID.
Steps:
Sign in to Microsoft Entra Admin Center
Navigate to Identity Governance.
Select Privileged Identity Management.
Activate PIM For Groups.
Once enabled you will be able to Manage Group Membership using just in Time Activation.
7. Configure Privileged Access Group Settings
Open Privileged Identity Management
Navigate to Groups
Select JIT Domain Admins Group
Configure the following settings:
- Require Approval for Activation
- Require Multi Factor Authentication.
- Maximum Activation Duration
Recommended configuration.
Domain Admin Activation Duration: 1 hour
Enterprise Admin Activation Duration: 30 Minutes
Justification required for access request
8. Assign Eligible Members
Add Administrators as Eligible Members rather than Permanent Members.
Add john.doe.admin as Eligible Member of JIT Domain Admins.
This means the User has no Privilege Access, but the user is eligible to request Privilege Access and if the request is approved the User is Granted the Privileged Access for limited time.
Steps:
Open Privileged Identity Management
Select Groups
Select JIT Domain Admins
Select Assignments
Add Eligible Assignment
Choose Administrator Accounts.
Do the same for Enterprise Admin group.
9. Configure Approval Workflow
Enterprise Admin access should Require Approval.
Configure approvers.
Example approvers.
Security operations team
Identity governance administrators
When an Administrator requests Enterprise Admin elevation the request must be approved before Activation.
10. Activation Workflow
When Administrators require Privileged Access, they must perform the following:
Administrator signs into Microsoft Entra Portal.
Administrator opens Privileged Identity Management.
Administrator selects My Roles.
Administrator Activates Membership in JIT Domain Admins Group.
Administrator Enters Justification and Ticket Number.
Multi Factor Authentication is Triggered.
Approval is Processed if Required.
Membership Becomes Active for the Defined Duration.
The User Now receives Domain Admin Privileges through Active Directory Group Membership.
After Expiration the Membership is Automatically Removed.
11. Kerberos Token Refresh Requirement
After JIT elevation Administrators may need to Refresh their Kerberos Ticket.
Use the following Command:
klist purge
Then Sign Out and Sign Back-In to Refresh Privileges.
12. Monitoring and Auditing
All Privileged Access Events are Logged in Microsoft Entra.
Important Audit Logs include:
Privilege Activation
Privilege Expiration
Approval Decisions
Failed Activation Attempts
These Logs should be Forwarded to a Security Monitoring Platform such as Microsoft Sentinel.
Monitoring Privileged Access Activity is Critical for Detecting Insider Threats and Credential Misuse.
13. Security Best Practices
Never Assign Permanent Domain Admin Privileges
Use JIT Elevation for all High - Privilege Roles.
Require Multi Factor Authentication for Activation.
Limit Activation duration to the Shortest Time Possible.
Require Approval for Enterprise Admin Access.
Use Privileged Access Workstations for Administrative Tasks.
Monitor all Elevation Events.
Regularly review Eligible Members.
14. Example Real World Scenario
An infrastructure engineer needs to modify a Group Policy Object that requires Domain Admin privileges.
The engineer signs in to the Microsoft Entra portal using their regular user account.
The engineer Navigates to Microsoft Entra Privileged Identity Management.
Under My Roles or Privileged Access Groups, the engineer locates the Eligible Assignment for the JIT Domain Admin group.
The Engineer requests Activation of the Eligible Assignment.
Multi Factor Authentication is required.
If the Policy requires Approval, the Request Must be Approved before Activation.
Once the request is Approved, the Engineer becomes a Temporary Member of the JIT Domain Admin Group.
Because the JIT Domain Admin group is nested inside the Active Directory Domain Admins group, the Engineer Temporarily receives Domain Admin Privileges.
The Activation remains valid for the Configured Duration, for example One Hour.
The Engineer then Signs into the Administrative Account or Refreshes Credentials so that the newly Granted Privileges are Applied.
The engineer performs the required Administrative Task such as modifying Group Policy.
After the Activation Duration Expires, the Temporary Membership is automatically Removed and the Domain Admin Privileges are Revoked.
The Engineer Returns to Operating with Standard User Privileges.
15. Security Benefits
Just In Time Administration Significantly Reduces the Attack Surface.
Benefits Include:
No Standing Privileged Accounts.
Reduced Credential Theft Impact.
Automatic Privilege Revocation.
Strong Audit Trail.
Better Compliance with Security Frameworks.
When Implemented Correctly this Architecture Prevents Attackers from Maintaining Persistent Domain Administrative Access even if credentials are Compromised.
For Organizations running Hybrid Identity Environments this is the recommended Modern Approach for Controlling On-Premises Active Directory High-Privileged Roles without relying on legacy MIM Based Privileged Access Management.
0 comments