• 2 min read

Building a JIT app for elevated permissions on Microsoft Power Platform


The Microsoft Digital Transformation Platform team internally uses Dynamics 365 and Power Platform to manage its business operations. As part of the Success Hub implementation, we sometimes need to perform administrative and data maintenance tasks in our production environment. In line with the “principle of least privilege,” these role assignments need to be temporary. To handle such situations, we built a Just in Time (JIT) app for assigning Admin roles, using Power Platform.

Solution Design

Image describing the design of the JIT app and the various Power Platform services utilized

The team set out to build a lightweight and extensible solution that could be linked to a Dynamics 365 instance.  Users can request elevated access on the Dynamics 365 environment using a canvas app.

Power Automate orchestrates the business logic to log JIT requests, assign and unassign roles, and notify users of the action taken. The flow is triggered on the submit of the form via the canvas app. The flow also stores the user request outside of Dataverse for auditing purposes; the request is stored in SharePoint because if the request were logged in Dataverse and the requester is granted system admin privileges, they could manipulate the JIT audit data itself.

The flow then checks whether the user is a member of a predefined Azure group containing users approved for JIT access. The request is approved or denied based on the requester’s membership of this Azure group.

If the request is approved, the user is notified via email and permissions are provided for 8 hours (configurable). After the designated time, the role is removed, and the user is notified of the removal.

Another flow runs on a scheduled basis to remove users who gained elevated access without a valid JIT request, for example system admin roles provided to users by temporary JIT system admins.

Get the unmanaged solution, along with setup instructions.

The above solution is a simple approach to handle JIT scenarios. There are multiple ways to extend and enhance this capability. Some of them are:

  • Audit logging – In the above design, JIT audit is done in SharePoint for simplicity. Given the extensive list of connectors for Power Automate, audit logging can be done in Azure SQL, Azure Table storage, or any other data store which may provide a higher level of security.
  • Multiple roles – The canvas app and flows can be modified to handle JIT for multiple roles.

Related Content

  • Power Apps
    Power Fx code in the Power Apps Formula bar showing a User Defined Function.
    • 6 min read

    What’s new in Power Apps: June 2025 Feature Update

    AI-powered Development Check out the latest updates in this month’s Power Apps Pulse! This month we’re giving you tools to share plans with your project stakeholders, we’ve added a maker setting to tailor your authoring experience, and we want *your* feedback about User Defined Functions and User Defined Types! Take a look at these updates […]