[GH-ISSUE #4957] [Feature Request]: JIT Admin - support multiple actions at expiration #2338

New issue

Closed

opened 2026-03-02 13:51:31 +03:00 by kerem · 4 comments

kerem commented 2026-03-02 13:51:31 +03:00

Owner

Copy link

Originally created by @zenturash on GitHub (Nov 17, 2025).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4957

Please confirm:

• I have searched existing feature requests (open and closed) and found no duplicates.
• **me or my organization is currently an active sponsor of the product at the $99,- level.

Problem Statement

within "JIT Admin" it would be nice if it would support multiple expiration actions.

Usecase: Fx if you have a JIT admin that persists aka is reused sometimes you would like be able to choose the option to both remove roles and disable the user.

Reasoning: This would reduce the role creep over time and minimize the attack surface.

Benefits for MSPs

This would reduce the role creep over time and minimize the attack surface.
Fx if you have a JIT account that also have RBAC permision to azure subs or resources that persists where you only use TAP to sigin and it's disabled after use, if you added entra roles via JIT there is currently no option to both remove the roles assigned and disable the account leading admin role creepy.

Value or Importance

nice-to-have: but to follow least privilege principle it would be nice and giving a more fully featured PAM/JIT solution via CIPP

PowerShell Commands (Optional)

No response

Originally created by @zenturash on GitHub (Nov 17, 2025). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/4957 ### Please confirm: - [x] **I have searched existing feature requests** (open and closed) and found no duplicates. - [x] **me or my organization is currently an active sponsor of the product at the $99,- level. ### Problem Statement within "JIT Admin" it would be nice if it would support multiple expiration actions. Usecase: Fx if you have a JIT admin that persists aka is reused sometimes you would like be able to choose the option to both remove roles and disable the user. Reasoning: This would reduce the role creep over time and minimize the attack surface. ### Benefits for MSPs This would reduce the role creep over time and minimize the attack surface. Fx if you have a JIT account that also have RBAC permision to azure subs or resources that persists where you only use TAP to sigin and it's disabled after use, if you added entra roles via JIT there is currently no option to both remove the roles assigned and disable the account leading admin role creepy. ### Value or Importance nice-to-have: but to follow least privilege principle it would be nice and giving a more fully featured PAM/JIT solution via CIPP ### PowerShell Commands (Optional) _No response_

kerem 2026-03-02 13:51:31 +03:00

• closed this issue
• added the
  enhancement
  no-priority
  no-activity
  not-assigned
  labels

kerem commented 2026-03-02 13:51:32 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Nov 27, 2025):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3583944679 --> @github-actions[bot] commented on GitHub (Nov 27, 2025): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

kerem commented 2026-03-02 13:51:32 +03:00

Author

Owner

Copy link

@zenturash commented on GitHub (Nov 27, 2025):

this feature would be lovely to have not only for the org i work at.

<!-- gh-comment-id:3584502049 --> @zenturash commented on GitHub (Nov 27, 2025): this feature would be lovely to have not only for the org i work at.

kerem commented 2026-03-02 13:51:32 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 7, 2025):

This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

<!-- gh-comment-id:3621498792 --> @github-actions[bot] commented on GitHub (Dec 7, 2025): This issue is stale because it has been open 10 days with no activity. We will close this issue soon. If you want this feature implemented you can contribute it. See: https://docs.cipp.app/dev-documentation/contributing-to-the-code . Please notify the team if you are working on this yourself.

kerem commented 2026-03-02 13:51:32 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 13, 2025):

This issue was closed because it has been stalled for 14 days with no activity.

<!-- gh-comment-id:3648753632 --> @github-actions[bot] commented on GitHub (Dec 13, 2025): This issue was closed because it has been stalled for 14 days with no activity.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2338

No description provided.