![]() ![]() JEA is enforced by eligibilities and Lockbox roles at the time of request for JIT access. This temporary access requires multi-factor authentication and is automatically revoked after the approved period expires. If an authorized reviewer approves the JIT access request, the engineer is granted temporary access with only the privileges necessary to complete their assigned work. Lockbox restricts elevated access to the minimum privileges, resources, and time needed to complete the assigned task. When an engineer requires additional access to support Microsoft online services, they request temporary elevated access to the resources they require using an access management tool called Lockbox. Service team accounts don’t grant any standing administrator privileges or access to customer content. Failure to complete or pass these checks result in eligibilities automatically being revoked. To maintain eligibility for a service team account, personnel must go through role-based training annually and rescreening every two years. ![]() Only after meeting all eligibility requirements can a service team account be created for the requested environment. The request for eligibility triggers a series of personnel checks to ensure the engineer has passed all cloud screening requirements, completed necessary training, and received appropriate management approval prior to account creation. The JIT access model replaces traditional, persistent administrative access with a process for engineers to request temporary elevation into privileged roles when required.Įngineers assigned to a service team to support production services request eligibility for a service team account through an identity and access management solution. Microsoft online services use a Just-In-Time (JIT), Just-Enough-Access (JEA) model to provide service team engineers with temporary privileged access to production environments when such access is required to support Microsoft online services. By default, Microsoft engineers have Zero Standing Access (ZSA) to customer content and no privileged access to the production environment. Microsoft online services are designed to allow Microsoft's engineers to operate services without accessing customer content. Feedback In this article How do Microsoft online services protect production systems from unauthorized or malicious access?
0 Comments
Leave a Reply. |