Zero Standing
Privileges.

FIGURE 1.0 // TEMPORAL_ACCESS_CONTROL

The most dangerous user in your network is the "Global Admin" who is asleep. If their credentials are compromised at 3 AM, the attacker has the keys to the kingdom.

The Solution: Remove the keys. Only give them back when asked, for a specific duration, and with validation.

1. How JIT Works in Entra ID

Using Privileged Identity Management (PIM), we convert "Permanent" assignments to "Eligible" assignments.

When an admin needs to do work: 1. They request activation in the Azure Portal. 2. They must pass an MFA challenge (step-up authentication). 3. They must provide a justification / ticket number. 4. Approval is either automatic or manual (4-eyes principle).

2. The Impact on Security Posture

By implementing JIT, we move to a state of Zero Standing Privileges (ZSP). Even if an admin's password is Phished, it is useless to the attacker without the MFA token required for activation.

Furthermore, every activation is audited. We know exactly who elevated permissions, when, and for what reason.

3. Deployment Best Practices

Successfully rolling out PIM requires more than just flipping a switch. Consider these operational guidelines:

• Start with Global Admin: This is your highest risk role. Convert it to eligible immediately.
• Require Ticket Context: Force admins to enter a ServiceNow/Jira ticket number for every activation.
• Short Durations: Limit activation windows to 1-4 hours max.
• Regular Access Reviews: Use Identity Governance to audit who still needs eligibility every 90 days.

Conclusion

Identity is the perimeter. By ensuring that privileges are granted only when needed and for the shortest time possible, we drastically reduce the blast radius of any potential compromise.