Configuring Just in Time Access (JIT)


With Azure Active Directory (Azure AD), a Global administrator can make permanent Azure AD admin role assignments. These role assignments can be created using the Azure portal or using PowerShell commands.

The Azure AD Privileged Identity Management (PIM) service also allows Privileged Role Administrators to make permanent admin role assignments. Additionally, Privileged Role Administrators can make users eligible for Azure AD admin roles. An eligible administrator can activate the role when they need it, and then their permissions expire once they’re done.

Make a user eligible for a role 

Sign in to the Azure portal.

If you haven’t started PIM in the Azure portal yet, go to

Enabling Azure AD Privileged Identity Management (PIM)

Click Azure AD roles

Click Roles or Members, then Click Add member to open Add managed members. 

Click Select a role, click a role you want to manage, and then click Select.

Click Select members, select the users you want to assign to the role, and then click Select.

In Add managed members, click OK to add the user to the role.

In the list of roles, click the role you just assigned to see the list of members.

When the role is assigned, the user you selected will appear in the members list as Eligible for the role.

Now that the user is eligible for the role, let them know that they can activate it.

Eligible administrators are asked to register for Azure Multi-Factor Authentication (MFA) during activation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s