Just-in-time access: time-limited permissions with my-IAM

Just-in-time access (JIT) is one of the most important trends in modern identity & access management. Instead of granting permanent permissions, users, administrators, or external partners receive exactly the permissions they need for a specific task and only for a limited period of time. After that, they expire automatically.

This means JIT closes several security gaps at once: permanent permissions disappear, shadow access is eliminated, and companies always maintain visibility into who has which access at what time.

We show you how to implement Just-in-Time Access in practice using the my-IAM platform.

Book an online demo now

What is Just-in-time access?

Just-in-Time Access means: access is granted only as long as it is actually needed. Instead of assigning permanent roles or groups, users receive time-limited permissions, for example for:

• an administrative task
• a temporary project
• an external service provider
• a short-term internal replacement

This approach follows the principle of least privilege and reduces attack surfaces because privileged access is not permanently active.

Why JIT Access is becoming increasingly important

Modern hybrid Microsoft environments consist of on-prem Active Directory, Entra ID, Microsoft 365, Teams, SharePoint, Azure, and many other subsystems. The number of identities and permissions is growing rapidly.

🤯 Companies face several challenges:

1. Permanent permissions remain active even when no longer needed
2. Service accounts often have excessive privileges
3. Temporary project access is forgotten
4. Offboarding processes do not fully remove permissions
5. Compliance requires stricter least-privilege mechanisms

Just-in-Time Access is the answer: permissions expire automatically, are documented, and remain fully traceable.

Benefits of just-in-time access

🛡️ Reduced attack surface: no permanently active admin or special privileges.

🔍 Transparency: clear traceability of who had which permissions and when.

📑 Compliance: meets requirements of NIS2, ISO 27001, GDPR, and cyber insurance policies.

⚙️ Automation: no manual removal of temporary permissions.

🔄️ Flexibility: permissions needed briefly do not have to be granted permanently.

How JIT Access works in Microsoft environments

Microsoft offers various building blocks to implement JIT mechanisms technically:

1. Entra Privileged Identity Management (PIM)

• replaces permanent admin roles with temporary activations
• roles are eligible (activatable) but require approval
• expiration after minutes or hours
• full logging of all activations

2. Defender for Cloud – JIT VM Access

• administrative RDP/SSH access is only enabled temporarily
• ports open only after approval and for defined IP ranges

3. Microsoft 365 Privileged Access Management (PAM)

• sensitive tasks (e.g., Exchange configuration) require task-based approval

4. Purview Data Loss Prevention (DLP) JIT Protection

• controls data actions during ongoing classification
• blocks actions until the evaluation is complete

These Microsoft building blocks form the technical foundation, but they are isolated and not orchestrated across systems.

Why companies cannot implement JIT using Microsoft tools alone

Many Microsoft services offer JIT mechanisms, but:

• they cannot be controlled centrally
• each service has its own workflows, approvers, and policies
• groups, Teams, SharePoint, external guests, or local AD permissions are not fully covered
• offboarding remains a risk

Companies therefore need a central orchestration platform that:

• aggregates identities
• manages permissions across systems
• standardizes JIT processes
• centralizes approvals
• executes scheduled permission removal reliably

How the my-IAM platform enables JIT Access

The my-IAM platform by FirstAttribute is a cross-system identity platform that gathers, consolidates, enriches, and delivers identity data from a wide range of sources in real time to applications, services, and users. It acts as a neutral broker and distributor of identity information, independent of the source, target system, or authentication method.

The IDM-Portal is an IAM application that builds on the my-IAM platform and uses its data and integration logic.

In summary:

• my-IAM is the data and integration layer
• IDM-Portal is the user and process frontend built on top of it

While the my-IAM platform manages the backend, integration, and data layer, the IDM-Portal uses this consolidated data to make identity and permission processes visible and editable.

Discover the IDM-Portal

1. Central control of temporary groups and permissions

Users, guests, or service providers receive permissions only within a defined time window. Afterwards:

• they are automatically removed from groups
• roles expire
• service accounts lose their elevated privileges

2. Unified workflows for requests and approvals

Whether PIM, Teams groups, or SharePoint permissions:

• everything is requested, approved, and time-managed through one portal

3. Automated expiration control

For each access you can define:

• start time
• duration
• automatic revocation
• notifications

4. Transparent documentation and reporting

All events are consolidated:

• PIM activations
• VM access
• SharePoint/Teams permissions
• group memberships

The portal creates a unified governance report.

5. Integration into hybrid AD/Entra environments

With RealIdentity and RealGroup:

• consistent groups between AD and Entra
• no sprawl, no shadow permissions
• instant synchronization of all changes

Practical examples

1. Onboarding a new employee

A new colleague needs:

• extended access to project folders for the first week
• elevated permissions in an application for two days

✅ The IDM-Portal grants these permissions automatically with reliable expiration.

2. External contractor in a project

A partner should have access to a Team and SharePoint for three weeks.

✅ The IDM-Portal enables:

• a temporary identity
• a fixed expiration date
• automatic removal from groups at project end

3. Internal team with changing responsibilities

Marketing and Sales occasionally work on the same data.

✅ With the IDM-Portal:

• temporary group memberships enable flexible access
• audits become significantly easier with JIT evidence
• permanent forgotten permissions are avoided

Conclusion

Just-in-Time Access is now an indispensable element of modern security architectures. It reduces risk, prevents shadow access, and meets compliance requirements. While Microsoft provides many JIT building blocks, the my-IAM platform with the IDM-Portal ensures unified, cross-system control.

This creates an environment where permissions are granted on demand, time-limited, and fully controlled — the core of modern Zero Trust strategies.

Learn more about the my-IAM platform

The my-IAM platform unifies all identities from various source systems and makes them usable for all types of applications and apps. In addition to the Teams-integrated my-IAM PeopleConnect app, it includes the Business Services my-IAM RealIdentity and my-IAM RealGroup.

Book an online demo now

You can also reach our team by phone at
+49 8196 998 4330.