1. Planning.

• Assessment
  ‍Start by identifying who needs access, what resources they will need, and the reasons why. Review current access rights and see if they can be downsized or even removed. An entitlement discovery tool could be a valuable asset for this process.
• Policy creation
  Clearly decide on policies for both granting and revoking access. Guidelines should be set out on who can request access, in what situations, and for how long. Particularly for privileged roles, establish time-limited parameters.
• Source of truth
  Link your JIT access mechanism to an Identity Provider (for instance, Okta, Google Workspace, Azure AD, OneLogin). This will serve as the confirmed source for identities. Opt for de/escalating individual identities rather than shared accounts for a more accurate authorization control and audit.

2. Execution.

• Self-serve access requirements
  Make it easier for users by allowing them to request access through the system instead of through individuals. Encourage its use by integrating with IM platforms such as Slack or MS Teams. All requests must outline who is asking, the service/resource/role needed, duration, and reason.

• Approval process
  Delegating approvals to those who are more knowledgeable about the business can be a major benefit of JIT access. Resource owners and business unit managers usually have better understanding than IT helpdesks. Use instant messaging platforms for quick responses, ensuring that all necessary information for an informed decision is supplied to approvers.

• Conditional approval workflows
• Instill your set policies into workflows that guide access permissions. Develop them into workflows that decide who has access to what, and under what conditions. A proven method is by implementing if-then conditions. E.g., IF identity group “X” wants access to “Y”, then approval from “Z” must be sought and “M” must be informed.

• Integrations
  Consider integrating JIT Access with other IT and security systems for increased flexibility; e.g., integrate with IT ticketing systems for automated access derived from ticket status. Connection with data classification systems can adjust policies based on data sensitivity. Ideally, the ability to identify resources and merge them together can simplify this process. Working in tandem with on-call schedule software can automate approvals during emergencies while training systems can grant access based on course completion.
• Automated provisioning and deprovisioning
  Understand Microsoft 365 Admin Center well to efficiently grant and retract access automatically within the service. Automatic revoking of access is essential for JIT Access, conforming to the principle of least privilege access (POLP). Ideally, all permissions would be managed in a single place, eliminating the need to create or manage an environment for each application in the organization.
• Access methods
  For Microsoft 365 Admin Center JIT Access, APIs are recommended due to their versatility and real-time capabilities. However, a combination may be necessary, such as employing SAML for authentication, SCIM for user provisioning, and APIs for definitive access control decisions.

3. Maintenance.

• Regular audits
  Periodically review access logs to confirm that JIT access is functioning correctly. Look for any strange patterns or behaviors, either directly or by inputting the logs into your SIEM. Automating the user access review process can speed up evidence collection, delegate reviewers, and ensure your system is compliant with pertinent industry regulations or standards.
• User training
  Teach users, particularly privileged ones, about the significance of least privilege, JIT Access, and how it functions. Help users understand how to request access when it's necessary.
• Feedback loop  
  Regularly review your JIT access procedures. Get feedback from users and IT staff to see where improvements can be made. Following these steps will enable you to efficiently put a robust Just-in-Time Access system in place for Microsoft 365 Admin Center.