Privileged Access Management: JIT Security Controls with Microsoft Entra PIM

Privileged accounts are the keys to your organisation's most critical systems. Domain administrators, Azure subscription owners, Microsoft 365 global administrators, database administrators -- these accounts have the power to access, modify, or destroy virtually any resource in your environment. It is precisely this power that makes them the number one target for cyber attackers.

According to CrowdStrike's 2024 Global Threat Report, 80% of cyber breaches involve compromised privileged credentials. The IBM Cost of a Data Breach Report 2024 found that breaches involving privileged account compromise cost organisations an average of USD $4.81 million -- 23% more than breaches not involving privileged access. For Australian organisations, where the average breach cost reached AUD $4.26 million according to the same report, the stakes could not be higher.

The fundamental problem is standing privileges -- accounts that have permanent, always-on administrative access. These accounts exist in every organisation and represent a persistent, high-value target. Just-in-Time (JIT) access and Privileged Access Management (PAM) eliminate standing privileges by granting administrative access only when needed, for only as long as needed, with full audit trails.

Why Privileged Accounts Are the Number One Target

Attackers target privileged accounts because they provide the fastest path to complete environment compromise. Consider the attack chain:

1. Initial access -- An attacker compromises a standard user account through phishing or credential stuffing
2. Privilege escalation -- The attacker discovers and compromises a privileged account through techniques like pass-the-hash, Kerberoasting, or exploiting misconfigured permissions
3. Lateral movement -- With privileged credentials, the attacker moves freely across the environment, accessing file servers, databases, email systems, and cloud resources
4. Data exfiltration or ransomware deployment -- The attacker achieves their objective, whether stealing data, deploying ransomware, or establishing persistent access

The ACSC's Essential 8 framework recognises this risk explicitly. Restricting Administrative Privileges is one of the eight strategies, and at Maturity Level 2 and above, organisations are expected to implement time-limited, just-in-time privileged access.

Standing Privileges vs Just-in-Time Access

Understanding the difference between standing privileges and JIT access is critical to appreciating the security improvement:

Microsoft Entra Privileged Identity Management (PIM)

Microsoft Entra PIM is the primary tool for implementing JIT access across Microsoft 365, Azure, and hybrid environments. It is included with Microsoft Entra ID P2 (formerly Azure AD P2) licences and provides comprehensive privileged access management for Microsoft environments.

Key PIM Features

• Eligible role assignments -- Users are assigned as "eligible" for privileged roles rather than permanently active. They must explicitly activate the role when needed
• Time-bound activation -- When activated, roles are granted for a defined period (e.g., 1 hour, 4 hours, 8 hours) and automatically expire
• Approval workflows -- High-risk roles (e.g., Global Administrator) can require one or more approvers before activation. Approvers receive notification and can approve or deny via email or the Entra portal
• MFA enforcement -- Require multi-factor authentication for every role activation, ensuring that even compromised credentials cannot elevate privileges without the second factor
• Justification requirements -- Require users to provide a business justification (and optionally a ticket number) for every activation, creating a comprehensive audit trail
• Activation notifications -- Alert security teams whenever privileged roles are activated, enabling real-time monitoring of privileged activity

Role Activation Workflow

A typical PIM activation workflow operates as follows:

1. An IT administrator needs to make a change that requires Global Administrator privileges
2. They navigate to the Entra PIM portal and request activation of the Global Administrator role
3. They provide a justification (e.g., "Configuring new Conditional Access policy per change request CR-2024-0847") and complete MFA
4. If the role requires approval, the designated approver receives a notification and reviews the request
5. Upon approval, the role is activated for the configured duration (e.g., 2 hours)
6. The administrator completes their work. The role automatically deactivates at expiry
7. The entire activation -- including justification, approver, duration, and actions taken -- is logged in the audit trail

Access Reviews: Maintaining Least Privilege Over Time

Implementing PIM is only the beginning. Over time, role assignments accumulate as people change positions, projects end, and temporary access becomes permanent. Entra ID Access Reviews automate the process of reviewing and certifying privileged access assignments.

• Scheduled reviews -- Configure monthly or quarterly reviews of all privileged role assignments. Reviewers (typically security managers or team leads) certify that each assignment is still required
• Self-attestation -- Users can be asked to justify their continued need for privileged access. If they do not respond within the review period, access is automatically removed
• Automated remediation -- Access Reviews can automatically remove access for users who are not re-certified, ensuring that stale privileged assignments are cleaned up without manual intervention
• Compliance reporting -- Access Review results are logged and can be exported for compliance audits, demonstrating to auditors that your organisation regularly validates privileged access

Integration with Conditional Access and Zero Trust

PIM is most effective when integrated with Conditional Access policies as part of a broader Zero Trust architecture. Key integration points include:

• Require compliant devices for privileged access -- Conditional Access can ensure that privileged roles can only be activated from Intune-managed, compliant devices. This prevents administrators from performing privileged actions on personal or unmanaged devices
• Block privileged access from risky locations -- Restrict privileged role activation to trusted network locations or require additional authentication for access from unusual locations
• Risk-based authentication -- If Entra ID Protection detects that a user's sign-in session is high risk (e.g., from a leaked credential or unfamiliar location), require additional verification before allowing privilege activation
• Session controls -- Use Conditional Access App Control (via Microsoft Defender for Cloud Apps) to monitor and control privileged sessions in real time

Essential 8 Alignment

Implementing PIM directly supports the Essential 8 strategy of Restricting Administrative Privileges:

• Maturity Level 1 -- Requests for privileged access are validated when first requested. Privileged accounts are not used for reading email or browsing the web
• Maturity Level 2 -- Privileged access is limited to what is required. Just-in-time administration is used for administering servers and Active Directory. Privileged access events are centrally logged and protected from unauthorised modification
• Maturity Level 3 -- Just-in-time administration is used for all privileged access activities. Privileged access events are analysed in a timely manner to identify cyber security events

PIM, combined with Conditional Access and Microsoft Sentinel monitoring, enables organisations to meet and exceed Essential 8 Maturity Level 2 for administrative privilege controls, with a clear path to Maturity Level 3.

Implementation Approach

Precision IT recommends a phased implementation of PIM to minimise disruption and ensure complete coverage:

1. Discovery and audit -- Identify all privileged accounts across Entra ID, Azure subscriptions, and on-premises Active Directory. Document current assignments and usage patterns
2. Policy design -- Define activation durations, approval workflows, and MFA requirements for each privileged role based on risk and business need
3. Pilot deployment -- Enable PIM for the IT team first, allowing them to familiarise with the activation workflow before broader rollout
4. Phased rollout -- Systematically convert all standing privileged assignments to PIM-eligible assignments, starting with the highest-risk roles (Global Administrator, Exchange Administrator, Security Administrator)
5. Access Reviews -- Configure quarterly Access Reviews for all privileged role assignments
6. Monitoring -- Integrate PIM activation alerts with Microsoft Sentinel for real-time monitoring and incident correlation

Precision IT is an ISO 27001 certified, Microsoft Solutions Partner with extensive experience implementing privileged access management for Australian organisations across healthcare, financial services, government, and education. Our cybersecurity practice delivers end-to-end PAM solutions, from discovery and policy design through deployment and ongoing monitoring via our 24/7 Australian Security Operations Centre.

Are your privileged accounts properly secured? Book a complimentary privileged access assessment and we will audit your current privileged account posture, identify standing privileges, and provide a prioritised remediation roadmap. Most assessments are completed within one week.