AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam
Eager to master hybrid server management? Discover how to administer Windows Server Hybrid Core Infrastructure on Azure, setting your path towards the Microsoft Certified: Azure Hybrid Infrastructure Administrator Associate certification!
Practice Test
Intermediate
Practice Test
IntermediateConfigure Just Enough Administrationfor PowerShell remoting
Implement and Secure JEA Endpoints
Just Enough Administration (JEA) is a security technology for PowerShell that enforces the principle of least privilege. With JEA, administrators can perform only the tasks they need without having full control over a system. This approach reduces the attack surface and limits potential damage if credentials are compromised. By using JEA, organizations can maintain tighter control over administrative actions in both on-premises and hybrid Azure environments. Implementing JEA ensures that users have just enough rights to complete their jobs.
To build a JEA endpoint, you must create two main file types:
- PowerShell session configuration files
- Role capability files
These files work together to define what commands and parameters users can run. The session configuration file links to one or more role capability files, and the role capability file lists allowed cmdlets, functions, and scripts. Customizing these files is key to enforcing strict access control.
After creating the necessary files, you register the JEA endpoint on each target server. Use the New-PSSessionConfigurationFile cmdlet to generate the session configuration file and then call Register-PSSessionConfiguration to make the endpoint available. This process ensures that only authorized users can start a session with limited permissions. Registration locks down the environment so that sessions follow the defined constraints.
Securing the endpoint further involves applying security descriptors and virtual accounts. Security descriptors specify which principals can connect to the endpoint, while virtual accounts provide temporary, isolated identities during sessions. Virtual accounts do not have broad domain permissions, which helps contain potential threats. Combining these measures delivers multiple layers of protection.
By carefully defining session configurations, role capabilities, and security settings, administrators can enforce least-privilege access across their infrastructure. JEA endpoints give authorized users a confined workspace for specific tasks, preventing misuse of elevated privileges. This structured approach streamlines administration and strengthens security in hybrid PowerShell environments.
Conclusion
In this section, we explored how Just Enough Administration (JEA) uses least privilege to secure PowerShell remoting. We covered creating and customizing session configuration files and role capability files, registering endpoints with PowerShell cmdlets, and applying security descriptors and virtual accounts. These steps work together to enforce strict access controls and limit administrative power to only what is necessary. Implementing JEA endpoints is an essential practice for secure, efficient management in both on-premises and Azure-hybrid Windows Server environments.