Just-in-time admin access: the pragmatic SMB version of privileged identity management
Permanent admin accounts are the single most reliable gift you can give an attacker. Not weak passwords, not unpatched servers — persistent, always-on privileged access. Once an attacker owns one credential with Global Admin or Domain Admin attached, the breach stops being a question of if they can move and starts being a question of how fast. Just-in-time admin access fixes that by making elevated privileges temporary, audited, and approval-gated — so there is nothing persistent to steal.
This is not a theoretical security ideal. It is a concrete operational pattern that SMBs can implement today, with tools most of them already pay for.
Standing admin access = standing risk
The threat model is straightforward. A standing admin account means the privilege is attached to an identity 24 hours a day, seven days a week, whether or not anyone is actively doing admin work. That is the attack surface. A phished MFA code at 2 a.m. on a Saturday hands the attacker the same rights as a legitimate maintenance window on a Tuesday afternoon.
Look at the incident patterns: the 2023 Microsoft Exchange Online breach involved a compromised Microsoft account that had excessive access to signing keys. The 2024 Snowflake-adjacent incidents repeatedly came back to accounts with broad persistent privileges and no MFA enforcement. At the SMB level, the same story plays out constantly — a technician account in Microsoft 365 with permanent Global Admin, a shared local administrator password that hasn't rotated since the last MSP onboarding, a NinjaOne service account with full tenant rights sitting in an unlocked keepass file.
The principle of least privilege is decades old and still routinely ignored because removing standing access creates friction. The answer is not to live with the risk — the answer is to design workflows that make temporary elevation feel as low-friction as permanent access, while logging everything.
Every day a standing privileged account exists without use is a day you are paying a risk premium for administrative convenience you are not actually using.
The JIT model in plain English
Just-in-time admin access works on a simple contract: you get elevated rights when you need them, for the duration you need them, and the system logs the activation, the approver, and the scope. When the window closes, the privilege evaporates. The account returns to an unprivileged baseline.
The operational flow typically looks like this:
- A technician or admin needs to make a change that requires elevated rights.
- They submit an activation request — sometimes self-served, sometimes requiring a peer or manager approval.
- The system grants the elevated role for a defined window (15 minutes, 1 hour, 4 hours depending on the task).
- The window expires and the elevation is automatically revoked.
- The full activation history is retained for audit.
The key insight is that this is not about making life harder for legitimate admins. It is about making sure that a compromised credential — phished, stolen from a password manager, or extracted via infostealer — has zero persistent value. An attacker who gets the password and even the TOTP seed for a JIT-gated account still cannot do anything administrative without triggering an approval workflow they cannot complete.
The threat model shifts from "protect every admin credential perfectly" to "ensure that credential compromise alone is not sufficient for lateral movement or data exfiltration."
M365 / Entra PIM — what's in P2 and what's not
Microsoft's native answer to JIT is Privileged Identity Management inside Entra ID, formerly Azure AD. It is genuinely good. The problem is that it requires Entra ID P2 licensing, which means Microsoft 365 Business Premium or a standalone P2 add-on. At roughly $8–12 per user per month depending on volume and geography, that is a real cost for a 50-person SMB.
What P2 PIM gives you:
- Eligible role assignments — roles are assigned as eligible rather than active, meaning the user must consciously activate them.
- Time-bound activation — you define maximum activation windows per role. Global Admin can be capped at 1 hour. SharePoint Admin can be set to 4 hours.
- Approval workflows — specific roles can require a named approver or group of approvers before activation goes through.
- MFA on activation — even if the session already has MFA, PIM can require a fresh MFA challenge at activation time.
- Just-in-time access reviews — periodic reviews that force explicit recertification of who has eligible access to what.
- Full audit log — every activation, every approval, every expiration is written to the Entra audit log and flows into Microsoft Sentinel if you have it.
What P2 does not give you by default:
- JIT for local Windows admin rights on endpoints (that requires a separate solution like LAPS plus workflow, or a PAM tool).
- JIT for third-party SaaS platforms outside the Microsoft ecosystem.
- Anything for your on-premises Active Directory without adding Microsoft Identity Governance (formerly AAD P2 + MIM), which gets expensive fast.
If you are on Business Premium, PIM is already licensed. Turn it on. Start with Global Administrator and Privileged Role Administrator — make every assignment eligible, set a 1-hour max activation, and require approval from a second named admin. That change alone closes the most common SMB attack vector in about 30 minutes of configuration.
For Entra-connected workloads like Exchange Online, SharePoint, and Intune, PIM covers you cleanly. For everything outside that perimeter, you need a different approach.
The DIY version for orgs not on P2
Not every SMB will or should pay for P2 licensing across the board. There are workable patterns that achieve most of the risk reduction without the licensing cost.
Break-glass accounts with monitoring: Create a single Global Admin break-glass account with a complex password stored in a physical safe or a sealed envelope in a locked cabinet. Disable MFA on it (this is intentional — if MFA fails systemwide, you need a way in). Set an Azure Monitor or Defender for Cloud alert that fires the moment the account signs in. Any legitimate use of that account is a known event; any unexpected sign-in is an immediate incident. This does not give you JIT, but it removes standing admin from daily-use accounts.
Conditional Access + named locations for admin actions: Lock admin portal access to specific IP ranges (your office, your MSP's known egress IPs). This is not JIT but it massively reduces the value of a stolen admin credential used from outside those locations. Cloudflare Access can front your internal admin panels with identity-aware proxy policies if you want a more robust version of this.
Group-based role toggle with approval via Teams or email: This is the low-tech JIT simulation. Use a PowerShell script or a Power Automate flow that adds a user to a privileged Entra group on request, sets a timer, and removes them after the defined window. The approval step can be a Teams Adaptive Card sent to a second admin. It is not elegant but it is auditable and it works. NinjaOne and similar RMM platforms have similar access escalation patterns for endpoint admin operations.
LAPS for local admin on endpoints: Microsoft's Local Administrator Password Solution is free and built into modern Windows. Every endpoint gets a unique, rotating local admin password that is escrowed in Active Directory or Entra ID. No shared local admin password. Retrieval is logged. This directly closes a major lateral movement vector — pass-the-hash and credential spraying against shared local admin accounts.
None of these are as clean as Entra PIM. But all of them are better than a permanent Global Admin account sitting on the account your help desk uses to reset passwords.
Approval workflows that don't kill productivity
The fastest way to get JIT circumvented is to make the approval process slow enough that people find workarounds. If activating admin access takes 20 minutes of back-and-forth, someone will just keep the role active permanently. The workflow design matters as much as the technical implementation.
Patterns that work:
Self-approval for low-risk roles with logging. Not everything needs a human approver. SharePoint Site Collection Admin, Exchange Recipient Management — these are roles where self-activation with a business justification field and a short window (2–4 hours) is entirely reasonable. The audit trail is the control, not the approval gate.
Single approver with mobile-friendly interface. For higher-risk roles like Global Admin, one approver is enough. That approver needs to be reachable via mobile. Entra PIM's approval emails work, but a Teams notification is faster. Define an on-call approver rotation if your team is small.
Pre-approved windows for maintenance. Schedule recurring change windows in your ticketing system — say, Tuesday and Thursday evenings — where elevated access is pre-approved for a defined scope. Admins activate within those windows without ad-hoc approval. Everything outside those windows still requires real-time approval.
Hard stops, not soft warnings. If the activation window expires mid-task, the admin reactivates. Do not extend windows automatically. The 15-second friction of reactivation is the point — it forces a moment of deliberate decision-making and refreshes the audit trail.
CrowdStrike Falcon Identity Protection and similar tools can layer behavioral detection on top of these workflows — flagging activations from unusual locations, at unusual hours, or followed by atypical data access patterns. That is the next level; get the workflow right first.
Privileged Access Workstations — when worth it
Privileged Access Workstations (PAWs) are dedicated, hardened devices used exclusively for administrative tasks. No email, no web browsing, no general productivity software. The idea is to eliminate the attack surface that typically leads to credential theft — malicious email attachments, browser-based exploits, infostealer malware — on the exact machine used to administer your most critical systems.
For most SMBs, a full PAW program is overkill. The operational overhead is significant: you need to procure, manage, and maintain separate hardware, enforce policy that admins actually use it for admin tasks and nothing else, and keep the device itself in a known-clean state.
Where PAWs are worth the cost:
- MSSPs and MSPs managing multiple tenants. If one compromised device can reach 50 client tenants, the risk calculus changes completely. A hardened admin workstation — even a VM with strict network segmentation — is justified.
- Orgs handling regulated data. Healthcare organizations under HIPAA, financial services firms under PCI or SOC 2, and any org handling export-controlled data should have admin access originating from hardened, inventoried devices.
- When CrowdStrike or your EDR is not on the admin machine. If the device used for admin work is not covered by your EDR policy, it is a blindspot. A PAW with enforced EDR coverage and no exceptions is better than a general-purpose laptop with gaps.
The pragmatic SMB version of a PAW is not necessarily a separate physical device. It can be a Intune-enrolled, Conditional Access-scoped device profile that prevents admin portal access from non-compliant devices. Entra ID's device compliance policies enforce this: Global Admin activation via PIM can be conditioned on the activating device being Intune-managed and compliant. That gets you 70% of the PAW security benefit at a fraction of the operational cost.
Start there. If you are managing more than five tenants or handling data that regulators care about, invest in dedicated hardware.
Just-in-time admin access is not a luxury feature for enterprises with dedicated IAM teams. It is a straightforward control that directly addresses the most common initial access and privilege escalation patterns in SMB breaches. The tooling is available, the cost is manageable, and the operational friction — when designed correctly — is minimal.
Start with what you have: enable Entra PIM if you are on Business Premium, deploy LAPS on every endpoint, and get every Global Admin account out of permanent active assignment this week. Build from there.
Before you finalize your JIT rollout, validate what your privileged identities and admin surfaces look like from the outside. Run the free Exposure Report and validate public-surface findings.
Related: How we assess SMB security posture — the Breach Horizon methodology
See what attackers see — before they do.
Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.