JIT (Just-in-Time) Admin for Privileged Domain Accounts
in progress
Owen Parry
Thanks for the questions — here’s the latest update.
JIT for Privileged Domain Accounts is actively in progress and remains on track. This is a major expansion of AutoElevate’s privilege‑elevation capabilities, allowing secure, time‑bound elevation for domain‑level privileged accounts in the same seamless workflow technicians use today.
Alpha testing is scheduled to begin January 2026, and we’ll provide additional details as we get closer to opening the preview.
Call to action if you want to us further: If you have specific JIT workflows or directory environments (Azure AD‑only, hybrid, on‑prem AD, etc.) you want us to validate during alpha, please share them so we can make sure the functionality supports the scenarios you rely on.
M
Matthew Buehlmann
Owen - Excited to see this feature under development as it would really round out the AutoElevate tool. We would need to be able to address Entra ID (Azure AD), Hybrid, and full on-prem environments. A few questions/thoughts:
1) Entra ID Role Scope: When you refer to JIT for 'Azure AD-only' environments, are you facilitating the elevation of Entra ID roles (like Global Admin or Intune Admin), or is the focus specifically on elevation for local administrative tasks on Entra-joined endpoints?
2) Workflow Integration: How will the tool handle Local Admin vs. Domain Admin elevation—will the user be prompted in the same style currently used for local elevation? Will there be a separate JITA login workflow (e.g., a specific QR code for Domain-level access), or will it utilize the existing JITA account structure?
3) Offline Access: Ensuring "Break-Glass" scenarios are covered for when the cloud service or local connectivity is interrupted is a must.
++++++++++++++++++++++++++++++++++
And a few testing scenarios...
1) Hybrid Security Boundary: If Entra ID roles are included, I’d like to confirm that an elevated domain account in a hybrid environment cannot perform Global Admin tasks in M365 (like deleting a user) unless a separate Entra ID Role elevation is requested.
2) Multi-Tenant Switching: For technicians moving from Client A’s domain to Client B’s, can they hold multiple active JIT sessions across different tenants, or must they "check-in" keys for one before requesting the next? The latter would probably cause engineers to curse my name...
3) Offline Domain Access: A technician has line-of-sight to a DC but no internet access (e.g., repairing a failed gateway). How do they assume Domain Admin privileges to restore the network?
4) RDP & Token Propagation: A critical SQL server is frozen and only allows "Domain Admins" to RDP. If a tech elevates via JIT, can they RDP in immediately, or will NLA/Token latency block the initial connection attempt?
Owen Parry
Matthew Buehlmann thank you for the detailed feedback! Dave Sibiski I'm sure appreciates this!
A
Andrew Bensinger
marked this post as
in progress
M
Matthew Buehlmann
Dave Sibiski - This would be a major feature upgrade to the AE tool. Was told the target completion date was EOY during the sales cycle. Is this still the case?
T
Toby Stephenson
Any ETA Dave Sibiski?
Dave Sibiski
marked this post as
planned