Skip to main content

Just-in-time admin accounts

How JIT accounts work

High-level overview of how idemeum implemented JIT admin accounts.

Product components

  1. Idemeum cloud - idemeum cloud serves as a management plane. You use your MSP admin portal to set up all settings and customers for your tenant. When you create a customer tenant, you can choose what settings to apply, i.e. desktop branding, how users login, how technicians login, who has access to customer workstations, etc. The settings are periodically pulled and applied by the desktop clients registered for the specific customer tenant.
  2. Idemeum desktop client - idemeum desktop client is installed on each customer workstation to manage user and technician login. Desktop client enables various services, including credential provider, offline login, account creation, and more. Dekstop client is associated with a customer tenant, and will periodically pull the settings that are configured for that tenant.
  3. Passwordless MFA - each technician does not use passwords to access customer workstations. What is more, technicians are not even exposed to local admin accounts passwords. Every login is performed with a mobile application by scanning a QR-code or triggering a push notification. This way every login is protected by Passwordless MFA, and two factors are used - biometrics (something you are), and certificates (something you have). More about Passwordless MFA security.
  4. Entra ID tenant - you will connect customer Entra ID tenant with associated idemeum customer tenant. Connection is securely done using oAuth protocol so that client credentials can be obtained to perform API calls. When connecting Entra ID tenant you can set various settings, including what domain to use for account creation, how long the accounts should be active for, and more.
  5. Idemeum portal - idemeum portal allows technicians to conveniently request Entra ID accounts for the tenants they need to access, and also retrieve the credentials for their accounts. Access to the portal is protected with FIDO2 Passwordless MFA.
  6. Idemeum extension - idemeum browser extension allows to seamlessly autofill Entra ID credentials when technicians are accessing customer Entra ID tenant.

How JIT computer accounts work

Below you can see a high-level flow for a technician accessing a customer workstation with idemeum mobile application.

  1. When idemeum desktop client is installed, it is registered with a chosen customer tenant (idemeum offers cloud MSP portal). Desktop client can be installed manually or using a variety of silent installation methods. Once installed, desktop client will register a new credential provider that will handle MSP technician logins.
  2. Idemeum desktop client will periodically reach out to idemeum cloud in order to retrieve the settings. Idemeum cloud is a management plane where you set up all configurations, including how technicians login, who has access to what computers, and more.
  3. When a new technician is hired, he is simply onboarded with Passwordless MFA. A user record is created in the MSP tenant with an associated email address. Technician installs idemeum mobile application, verifies his email, navigates to MSP tenant URL, scans the QR-code and onboards. Once technician is onboarded, he can be promoted to an admin role (access to all customer tenants and workstations), or he can be delegated access to certain customer tenants only.
  4. Technician can navigate to a workstation now, scan the QR-code and log in with individual local admin account. Technicians can login using various methods, including QR-code scanning, or triggering a push notification.
  5. Desktop client will handle all necessary things automatically: it will create a local admin account if necessary, will assign random 12-digit secure password, enable the account for the duration of the session, rotate the password after log out, and disable the account when not in use. All features are described below.

How JIT Entra ID accounts work

Below is a high-level flow of how technicians will request Entra ID accounts, and how they can access Entra ID with credentials auto-fill.

  1. First you create an idemeum customer tenant and connect that tenant with your customer's Entra ID tenant. Connection is done leveraging oAuth authorization flow. You will need to use Entra ID admin account to authorize connection and provide idemeum cloud with permissions to create and manage Entra ID accounts. You can also specify additional settings, such as how long the accounts should be enabled for, and what roles to assign to technicians when accounts are created.
  2. Technician will access customer idemeum tenant with Passwordless MFA.
  3. Once logged in, technician will be able to access idemeum portal to request an Entra ID account. Using your idemeum MSP portal you control who from your technicians have access to what customer tenants.
  1. Idemeum cloud will call Entra ID APIs to create a just-in-time account for a technician, it will assign the required roles, and will start the timer for how long the account will need to be active.
  2. Technician can now retrieve the account credentials and access the Entra ID tenant manually, or launch an application from the portal or extension and have the credentials automatically filled.
  1. Once the application is launched, idemeum extension will autofill credentials so that technician does not need to manually copy and paste them.
  2. After the specified time, idemeum cloud will disable the account for the technician and capture all access information in the audit logs.


If you have additional question about how Elevated Access to Computers works, reach out to us in Discord chat.