Azure just-in-time access: what teams are missing in privilege control

TL;DR: Standing privilege in Azure leaves users, service principals, managed identities, automation, vendors, and AI agents with access that outlives the work, expanding blast radius even when authentication is strong, according to Sonrai Security. The real control problem is permissions, not sign-in, and JIT only works when it covers every identity type and right-sizes roles first.

NHIMG editorial — based on content published by Sonrai Security: Just-In-Time Access for Azure Without New Infrastructure

By the numbers:

• Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job.
• 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope.

Questions worth separating out

Q: How should security teams implement just-in-time access for Azure identities?

A: Start by scoping roles down before they are made eligible, then apply time-limited activation, justification, and approval to the exact permissions that carry meaningful blast radius.

Q: Why do standing privileges increase cloud blast radius so quickly?

A: Standing privilege means an identity can act immediately with whatever permissions it already holds, so compromise, misuse, or simple operational drift can be turned into broader impact without any new access grant.

Q: What do teams get wrong about Azure just-in-time access?

A: The most common mistake is treating JIT as a human-admin feature and assuming role activation alone solves privilege risk.

Practitioner guidance

• Right-size roles before enabling JIT Review Azure roles for broad actions, wildcard permissions, and unnecessary subscription scope before making them eligible for temporary activation.
• Extend JIT governance to non-human identities Bring service principals, managed identities, CI/CD accounts, vendor identities, and AI agents into the same entitlement review process as human administrators.
• Separate network controls from permission controls Use VM access controls for connectivity and privilege controls for what an identity can do after authentication.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on using Entra PIM for eligible Azure roles and understanding what it does not cover.
• The distinction between Azure JIT VM access and permissions-layer control, including where each control stops.
• Practical workflow advice for approval paths, justification records, and role right-sizing before enrollment.
• Operational examples for handling service principals, managed identities, and AI agents under a JIT model.

👉 Read Sonrai Security's blog post on just-in-time access for Azure →

Azure just-in-time access: what teams are missing in privilege control?

Explore further

View Full Forum →  |  NHI Foundation Course →