How can we use Just in Time MFA

Just In Time MFA allows for selected users to share a particular common username on a short term basis. This feature allows users to use a common username like Administrator or Admin etc. and not tie this to just one users access or token.

Example would be if user jsmith needs to log into a Windows Domain administrator account named acmeadmin. 

  • We create the user acmeadmin. Enable this user for Just In Time MFA (JIT).
  • We then allow access to the acmeadmin account via an AAoD Group.
  • Any member of the Group can reserve the username and will have the exclusive use of the username for the designated duration.

Note: Just In Time MFA (JIT) is only compatible with using a one time password (OTP) authentication method.

Note: Users must reserve the option to use this JIT enabled account each time they wish to authenticate.
The reservation is expired as soon as an authentication is successful.

Enabling Group access to the common username

  1. Administrator will log into your AAoD tenant https://(your tenant).my.authanvil.com
  2. Select Directory Manager.
  3. Select Groups
    2.PNG

  4. Select the green plus sign in the bottom right corner. 

  5. Name the Group JIT_Username.
    Note: Replace Username with the common username you want to allow access to.
    Example: Administrator or Admin.

  6. then select Add Group.


  7. Add the desired users to the Group Jit_Username.


To enable Just In Time MFA for a common username

  1. Administrator will log into your AAoD tenant https://(your tenant).my.authanvil.com
  2. Select Directory Manager.
  3. Select Users.
    3.PNG
  4. Create the User account by selecting the Green plu in the bottom right.
  5. Name the user account with the common name. Example: Admin, Administrator, admintech etc...
  6. Enable User supports Just In Time MFA.
    5.PNG
  7. Select the Reservation Time.
    6.PNG
    Note: This should be set to no less then 1 minute of an interval. 5 minutes is recommended to allow for enough time a user to be able to log in.
    Note: Each users will need to reserve the JIT username before then can use it. The reservation is only valid for one authentication.
  8. Select the Group Membership that will be allowed to access this user name.
    Note: User the Group JIT_Username that was created above.
    7.PNG

 


Usage

  1. User will log into their AAoD tenant.
  2. User selects Just In Time MFA.
    4.PNG
  3. User selects Reserve User on the JIT user account they wish to access.
    1.PNG

The user should now be able to log into a resource such as a Windows Credential provider using the common username like Administrator and their own OTP (One Time Password).

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.