Building a JIT app for elevated permissions on Microsoft Power Platform
The Microsoft Digital Transformation Platform team internally uses Dynamics 365 and Power Platform to manage its business operations. As part of the Success Hub implementation, we sometimes need to perform administrative and data maintenance tasks in our production environment. In line with the “principle of least privilege,” these role assignments need to be temporary. To handle such situations, we built a Just in Time (JIT) app for assigning Admin roles, using Power Platform.
The team set out to build a lightweight and extensible solution that could be linked to a Dynamics 365 instance. Users can request elevated access on the Dynamics 365 environment using a canvas app.
Power Automate orchestrates the business logic to log JIT requests, assign and unassign roles, and notify users of the action taken. The flow is triggered on the submit of the form via the canvas app. The flow also stores the user request outside of Dataverse for auditing purposes; the request is stored in SharePoint because if the request were logged in Dataverse and the requester is granted system admin privileges, they could manipulate the JIT audit data itself.
The flow then checks whether the user is a member of a predefined Azure group containing users approved for JIT access. The request is approved or denied based on the requester’s membership of this Azure group.
If the request is approved, the user is notified via email and permissions are provided for 8 hours (configurable). After the designated time, the role is removed, and the user is notified of the removal.
Another flow runs on a scheduled basis to remove users who gained elevated access without a valid JIT request, for example system admin roles provided to users by temporary JIT system admins.
The above solution is a simple approach to handle JIT scenarios. There are multiple ways to extend and enhance this capability. Some of them are:
- Audit logging – In the above design, JIT audit is done in SharePoint for simplicity. Given the extensive list of connectors for Power Automate, audit logging can be done in Azure SQL, Azure Table storage, or any other data store which may provide a higher level of security.
- Multiple roles – The canvas app and flows can be modified to handle JIT for multiple roles.