Standing local admin rights are one of the most reliably exploited footholds in real-world incidents. If a device with permanent admin access is compromised — via malware, phished session token, or stolen credentials — the attacker inherits those privileges instantly and uses them to deploy persistence, dump credentials, or pivot. Just-in-Time (JIT) Local Administrator Access via Microsoft Entra Privileged Identity Management (PIM) closes that gap by making admin a temporary, audited, approved state instead of a permanent grant.
This guide walks the full setup: enabling PIM, configuring the Device Administrators role, assigning users as eligible (not active), the user’s activation flow, the IT approval flow, and the ongoing monitoring you need to keep the implementation honest. It assumes you’ve already read the previous post on the tenant-wide Device Local Administrator role — this post is what you do instead of permanently assigning that role.
The JIT model in one paragraph
A user is marked eligible for the Device Administrators role — eligibility means ‘allowed to ask for it’, not ‘has it’. When they need admin (installing approved software, troubleshooting a device, etc.), they activate the role through PIM with an MFA challenge, a written justification, and optional approver sign-off. The role is granted for a defined window (2–4 hours typical). When the window expires, admin is removed automatically. No human in the loop, no cron job, no chance of forgetting.
Prerequisites
| Requirement | Detail |
|---|---|
| Microsoft Entra ID P2 | PIM lives in P2. Included in M365 E3/E5, EMS E5, or available standalone. This is the load-bearing licensing line — if you only have P1 or Free, you can’t do JIT, and the closest equivalent is Conditional Access with strict MFA + audit logging. |
| Global Administrator (initial setup) | One-time consent and configuration of PIM. |
| Privileged Role Administrator (ongoing) | Day-to-day role configuration after PIM is live. |
| Entra-joined or Hybrid-joined devices | The Device Administrators role applies to Entra-joined devices specifically. |
| Entra accounts for everyone in scope | JIT acts on Entra identities; on-prem-only accounts can’t use it. |
Step 1 — enable PIM
- Sign in to entra.microsoft.com as Global Admin.
- Identity Governance > Privileged Identity Management.
- If first-time use: click Consent to PIM on the overview page, review, click Consent. Microsoft validates your P2 entitlement.
- Once consent completes, the PIM dashboard loads.
Immediately after enabling PIM, put your own Global Admin accounts under PIM. Standing Global Admin defeats every other layer of control you’re about to add. Eligible-only Global Admin with MFA + approval is the right pattern.
Step 2 — pick the right role
For tenant-wide local admin on Entra-joined devices, the role is Device Administrators (sometimes shown as Microsoft Entra Joined Device Local Administrator). For finer scope, see the device-specific JIT options later in this post.
- PIM > Manage under Microsoft Entra roles.
- Roles > search and select Device Administrators.
- Click Settings at the top — configure the role’s activation behaviour before assigning anyone.
Step 3 — configure role settings
| Setting | Recommended | Why |
|---|---|---|
| Activation maximum duration | 2–4 hours | Caps blast radius if the activated session is hijacked. |
| Require MFA on activation | Yes | A stolen password alone can’t activate. Treat activation like a sensitive transaction, not a login. |
| Require justification on activation | Yes | Written reason ties activation to a ticket / change request. Audit gold. |
| Require approval to activate | Yes for privileged roles | Two-eyes principle. Auto-approve only the lowest-risk roles. |
| Approvers | Group of 2+ named admins | Single-approver setups bottleneck whenever that person is on PTO. Make it a group. |
| Notifications on activation | Yes — approvers + security admins | Activations should be visible in real time, not after the fact. |
Click Update to save.
Step 4 — assign eligible users
This is the step where most JIT implementations get quietly subverted — an admin assigns Active instead of Eligible because it’s ‘easier for testing’, the change never gets reverted, and a year later the user has standing admin while everyone thinks JIT is in effect.
- In the Device Administrators role view, click Assignments > Add assignments.
- Membership type: Eligible (NOT Active).
- Search and select users or, ideally, a group like
JIT-Device-Admin-Eligible. - Set the eligibility window:
- Permanently eligible — the user can always request the role (rights are still never standing).
- Time-bound eligible — the eligibility itself expires on a date. Right tool for contractors with end dates.
- Click Assign.
Eligible users have zero admin rights until they activate. That’s the entire point.
Step 5 — user activation flow
What an eligible user does when they actually need admin:
- entra.microsoft.com > Privileged Identity Management.
- Tasks > My roles > Microsoft Entra roles.
- Find Device Administrators in the Eligible tab > click Activate.
- Complete MFA challenge.
- Enter justification: e.g. “Installing approved dev tool — Jira ticket DEV-4521”.
- Set duration up to the configured max (e.g. 2 hours).
- Submit. If approval is required the request goes to approvers; the user waits.
- Once approved (and only then), role is active. User has local admin on every Entra-joined device for the requested window.
- Window expires — rights vanish automatically. No alert, no action needed.
Step 6 — approver flow
Approvers get an email and can also pull pending requests in the portal:
- entra.microsoft.com > PIM > Approve requests.
- Review user, role, requested duration, justification.
- Approve or Deny with optional comment.
- User is emailed the decision instantly.
Tier your approvals. Auto-approve low-risk roles (helpdesk read-only, basic device config) and require human approval only for high-impact ones like Device Administrators. Tiered approval avoids approver fatigue without lowering the bar where it matters.
Monitoring, auditing, and alerts
Audit history
PIM > Activity > Audit history. Every activation, approval, denial, and assignment with user, timestamp, duration, role, justification, approver. Export to CSV or stream to Sentinel / Log Analytics for retention and SIEM correlation.
Access reviews
Identity Governance > Access Reviews. Create a quarterly review of the Device Administrators eligible list. Reviewers (managers or security team) confirm or revoke each user. Anyone not confirmed is auto-removed. This is how you stop eligibility lists from quietly growing forever.
Built-in alerts
| Alert | Catches |
|---|---|
| Roles being activated too frequently | Possible credential compromise — one user activating dramatically more than the baseline. |
| Roles don’t require MFA for activation | Configuration drift — someone disabled MFA on activation. |
| Too many global administrators | You’re past Microsoft’s recommended ceiling of 2–4 standing GAs. |
| Roles being assigned outside of PIM | Direct role assignment bypassing JIT controls. |
Advanced — narrowing the scope past tenant-wide
Device Administrators is tenant-wide. If you want device- or department-specific JIT admin, you have three options:
Administrative Units
Group devices by department, location, or sensitivity into Administrative Units. Then assign JIT-eligible roles scoped to specific AUs. Identity > Administrative Units to create and populate. Useful when one helpdesk team supports finance laptops and another supports engineering — each gets admin only on their slice.
Privileged Access Workstations (PAW) + Conditional Access
For high-value targets: designate specific hardened workstations as PAWs, then write a Conditional Access policy that allows PIM activation only from those compliant devices. Activation from any other device is blocked.
Endpoint Privilege Management (EPM) via Intune
Microsoft Intune Plan 2 / Intune Suite. EPM extends the JIT idea to single applications — a user can run one approved installer with elevated privileges without becoming local admin at all. Best fit for ‘the user just needs to install Adobe’ scenarios that don’t actually warrant full admin.
Things that bite people
Active assignment instead of Eligible
The most common failure mode. JIT only works with Eligible. Active assignment = standing rights. Audit your existing PIM assignments quarterly to make sure no Active rows snuck in.
Approver bottleneck
One named approver = one PTO day = legitimate work blocked = pressure to bypass JIT. Always assign at least two approvers, ideally a group.
Activation lasts longer than the work
If you set max duration to 8 hours and people activate for the full 8 hours every time, you’ve essentially recreated standing admin with extra steps. Tighten to 2–4 hours and let people re-activate if they truly need more time.
P2 license assumed but not assigned
Tenant has P2 licenses but they aren’t assigned to the eligible users. Activations fail at the license check. Verify under the user’s Licenses tab in Entra.
JIT sold to leadership but never enforced
You configure PIM, assign eligibility, and never go back to remove the legacy standing assignments — so the privileged users have both. Always remove the original Active assignment after migrating someone to Eligible.
Implementation checklist
- [ ] Entra ID P2 licensed and assigned to all in-scope users
- [ ] PIM enabled and consented
- [ ] Device Administrators role configured: MFA + justification + approval + 2–4h max
- [ ] Eligible (not Active) assignments created
- [ ] Two-or-more approvers designated
- [ ] Audit logs reviewed and forwarded to SIEM
- [ ] Quarterly access review scheduled
- [ ] PIM security alerts enabled
- [ ] End-user training on activation workflow delivered
- [ ] Pilot group tested before wide rollout
What’s next
That covers the device side of JIT admin. The next post in the Entra ID Security pathway shifts gears to Device Registration for BYOD — how to let users bring personal phones, tablets, and home PCs onto company resources without joining them to your tenant. Different relationship, different controls.