Getting Started
- Overview & Company
  - About Identity and Access Management
  - About Evo Security
- Initial Setup & Requirements
  - Evo Prerequisites & Supported Operating Systems
  - MSP Onboarding Guide
  - Evo Authenticator Mobile App 5.1.x (iOS and Android)
  - Evo Supported Authentication Methods
Directory Environments
- Environments
  - What type of Directory do I need?
  - Set up Evo on Active Directory (LDAP)
  - Set up Evo on Azure AD
  - Evo Cloud: Directory-As-A-Service Setup and Installation
  - Sync with Google Workspace
  - Unsupported - Microsoft Azure Virtual Desktop
Deployment & Configuration
- Advanced Configurations
  - How to protect Remote Desktop using Evo Security (RDP Support)
- Scripts & Automation
  - Deploy & Uninstall Evo Agent via PowerShell
  - Deploying the Evo Agent using ConnectWise RMM
- Branding & Customization
  - How do I update the Logos to match my company brand? (Web Page and Agent)
Product Information
- MFA
  - Evo Secure Login for Windows / Troubleshooting Secure Login
- SSO/ SAML
  - What SAML integrations are available?
  - How do I add a rule for single sign-on (SSO) expiration
  - Identity Provider (IdP) Login
  - Connect Web Apps via SAML with Evo: Version 3
  - Azure AD/On-Prem AD Hybrid Environment - Federating Microsoft 365 Domain
  - Azure AD - Federating Microsoft 365 domain
  - WS-Federation integration for Office 365 login
  - Setting up SAML with Salesforce
  - Setting up SAML with Dropbox
  - Setting up SAML with Keeper
  - Setting up SAML with Box.com
  - Setting up SAML with Liongard
  - Setting up SAML with Auvik
  - Setting up SAML with Domotz
- Tech Elevation
  - Elevated Access: Extended User Access Control session
  - Elevated Access: Just-in-Time Accounts
  - Setup Elevated Access
  - Password Rotation with Evo
  - Local Admin Accounts
  - Web Accounts
- End User Elevation
  - Elevated Access: End User Elevation 2.3.x
- Help Desk Verification
  - Help Desk Verification
  - Help Desk Verification with Microsoft Authenticator and Evo Secure Login
- Agents
  - LDAP Agent Settings Editor
  - Installing the macOS Credential Provider
Evo Portal
- Navigation & Managment
  - Welcome to the New Evo Portal!
  - Tenants Page
  - Policies Page
  - Rules Section (Global)
  - Integrations Page
  - Settings Section
  - Dashboard Page
  - Directories Page
  - Vault Section
  - Users Page
  - Groups Page
  - Access Tokens Page
  - Keys (Hardware Keys) Page
  - Endpoints Section
  - Applications Page
  - Elevation Section (Tenant)
  - Role-Based Permissions / List of Roles
- User & Directory Management
  - How do I add or delete customers?
  - How do I add, edit or disable a Domain Account? ( Old UI )
  - How do I add, edit, or delete a directory?
  - How do I disable, enable, or delete user devices (Endpoints)?
  - User Groups
  - How do I manage my user licenses? (Billing and Administration)
Integrations
- PSA & Password Sync Integrations
  - Evo Password Integration with ITGlue
  - Integrating Evo with IT Glue
  - Evo Password Integration with Hudu
  - Evo Integration with Autotask
  - Evo Integration with ConnectWise
User Onboarding & Guidance
- MFA & Access Behavior
  - How does the "MFA Status" toggle work?
  - Set Evo Secure Login as default option at login screen
  - MFA Grace Period
  - Temporary Authentication Lockout
- Account Management
  - How do I reset my Evo password?
  - How do I see authentication activity?
  - How do I convert user types?
  - How do I manage my users / users devices?
- End User Documentation
  - How do I create my user account?
  - How do i log in?
  - How do I register my device?
  - Evo Authenticator watch app
  - Using Evo Secure Login (End User)
  - Using Evo Security (End User) - Azure AD
  - Using Evo Security (End User) - Active Directory
Troubleshooting & FAQs
- Directories Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
  - Error Fetching AD Groups: How to fix AAD Client Secret expired
  - Troubleshoot issues with the Evo LDAP Agent
  - On-prem AD Virtual Machine hosted on Azure (timeout settings)
- Secure Login Troubleshooting
  - Error: Login Denied due to Temporary Lockout
  - Error Message: the account is disabled or not found
  - How to Fix Secure Login Always Requests Offline Code
  - How to use Offline code to login to Windows machine without Internet
- Elevated Access Troubleshooting
  - Error: The user has not been granted the requested logon type at this computer
  - How to Troubleshoot Elevated Access / Domain Accounts
- Mobile App Troubleshooting
  - Troubleshooting Evo Authenticator Mobile App Issues
- End User Troubleshooting
  - User cannot login after changing email
- RADIUS Troubleshooting
  - RADIUS - Secure RADIUS Servers with TLS/radsecproxy (CVE-2024-3596)
  - Requesting a RADIUS Server in Evo / RADIUS Troubleshooting
Support & Resources
- Support & Resources
  - Where to go for help / feature requests
  - Adding Evo Users to the Evo Support Portal
  - Setting up Mobile Email to Provide Logs to Evo
  - How do I add, edit, or delete email campaigns?
  - How do I update Evo software?
More

Elevated Access: Just-in-Time Accounts

Last updated on August 27, 2025

Just-In-Time (JIT) Accounts for Elevated Access

Overview

Just-In-Time (JIT) accounts provide secure, auditable elevated access without the risks associated with permanent or shared administrator accounts. Each JIT account is uniquely tied to an individual user and is automatically managed to ensure security and compliance.

Instead of relying on shared local admin accounts, JIT accounts allow administrators and engineers to temporarily elevate privileges, with all actions logged under their specific identity.

Key Features of JIT Accounts

User-Specific Accountability

Every elevated action is recorded under the unique JIT account linked to a user’s identity, ensuring full auditability.

Event Viewer Visibility

Unlike shared accounts where actions are unattributable, all activity performed through a JIT account is logged in Windows Event Viewer under the specific JIT username (derived from the user’s email).

This ensures you always know who performed which action.

Provides a complete audit trail for compliance and troubleshooting.

Automatic Expiration

JIT accounts remain valid for 30 days from the time of creation.

After 30 days of inactivity, the account is automatically deleted.

Idle Session Controls

If a JIT account is not actively in use, it is automatically disabled after 10 minutes of inactivity.

Upon logout or after closing all active sessions, the account is removed from the Administrators group and disabled.

Secure Credential Handling

Each login session generates a random 25-character password (containing lowercase, uppercase, numbers, and symbols).

The password is known only to Windows—neither Evo nor the user ever has access to it.

A new password is generated for every login session.

Username Format

JIT accounts are created based on the user’s email address.

Since Windows usernames are limited to 20 characters, the account name is truncated to fit this requirement.

How It Works

A user selects Elevated Login and enters their Evo credentials (email + Evo password).

The system automatically provisions a JIT account tied to the user’s email.

A long, randomized password is generated for the account, and the user is logged in.

During the session, all actions are logged in Event Viewer under the JIT username.

After the session ends or 10 minutes of inactivity:

The account is disabled.

The user is removed from the Administrators group.

After 30 days without use, the JIT account is permanently deleted.

Benefits of JIT Accounts

Eliminates the need for shared or static admin credentials.

Provides per-user accountability for all privileged activity.

Ensures traceability in Event Viewer, linking every action to an individual user.

Reduces the risk of credential compromise by rotating passwords automatically.

Enforces least privilege principles with time-bound elevated access.

Did this answer your question?

😞

😐

🤩

Elevated Access: Extended User Access Control session Setup Elevated Access