PAM, JIT, JEA, and Service Accounts
Key Takeaways
- Privileged access management reduces standing administrative access, vaults secrets, and records high-risk actions.
- Just-in-time access grants privilege only for a limited, approved window, then auto-revokes it.
- Just-enough administration limits privileged users to the specific commands needed for the task.
- Service accounts need a named owner, scoped permissions, credential rotation, vaulting, and behavioral monitoring.
- Shared administrator accounts destroy accountability and should be replaced with named accounts plus elevation controls.
Why Privileged Accounts Are Different
Privileged accounts can change security settings, read sensitive data, create users, disable logs, or deploy code. A single compromise can cascade across an entire domain. Privileged access management (PAM) is the discipline of requesting, approving, limiting, monitoring, and revoking privileged access. SY0-701 treats PAM as the answer whenever a scenario describes standing admin rights, a shared root password, or an over-permissioned service account.
Key Concepts
| Term | Meaning | Security value |
|---|---|---|
| PAM | Controls governing privileged account use | Reduces abuse, improves accountability |
| Just-in-time (JIT) | Privilege granted for a limited duration | Eliminates standing privilege |
| Just-enough administration (JEA) | Privilege scoped to specific actions | Shrinks blast radius |
| Credential vault | Secure storage and checkout of secrets | Protects admin passwords and keys |
| Ephemeral credentials | One-time, short-lived secrets | No long-lived password to steal |
| Session recording | Capture of privileged activity | Supports investigation and deterrence |
A useful mental model: JIT controls when and how long; JEA controls what you may do. Strong PAM combines both with MFA, an approval workflow, and automatic revocation.
Scenario: Emergency Database Maintenance
A database administrator (DBA) must apply an emergency index change to production. Without PAM the DBA holds permanent admin rights; if that account is phished, the attacker owns production immediately. With PAM the DBA submits a request tied to an incident ticket. The system checks the on-call schedule, forces MFA, grants the db-maint role for 60 minutes, records the session, and strips the role when the window expires. JEA narrows the grant to database maintenance commands instead of full operating-system administration, so the elevated session cannot pivot to the host.
Example privileged event trail:
2026-06-14T15:04:11Z pam request_id=PR-8842 user=dbell target=db-prod-03 role=db-maint approver=ltan duration=60m status=approved
2026-06-14T15:06:03Z pam request_id=PR-8842 user=dbell mfa=success session=started source_ip=10.40.8.25
2026-06-14T15:42:18Z pam request_id=PR-8842 command="ALTER INDEX IX_CLAIMS_REBUILD" result=success
2026-06-14T16:06:04Z pam request_id=PR-8842 session=ended elevation=revoked
The load-bearing fields are identity, approval, target, role, start time, actions, outcome, and revocation. If a question asks what makes the change auditable, point to this chain, not to the firewall or to encryption.
Service Accounts
Service accounts run applications, scheduled jobs, integrations, and machine-to-machine tasks. They are easy to overlook because no human sits at the keyboard, which is exactly why attackers prize them.
| Service account control | Why it matters |
|---|---|
| Named human owner | Someone must approve use and answer alerts |
| No interactive login | Prevents reuse as a normal human login |
| Least privilege | Limits damage if the app is compromised |
| Secret rotation | Reduces the value of a leaked password or key |
| Vaulting | Removes hardcoded secrets from scripts and repos |
| Behavioral monitoring | Detects unusual source host, time, or action |
Managed service identities and gMSA (group managed service accounts) that rotate passwords automatically are the modern improvement over hand-set, never-changed passwords.
Common Traps
- One shared "admin" account for the entire IT team (zero accountability).
- Permanent domain administrator rights for occasional troubleshooting.
- Hardcoding service-account passwords in scripts or source control.
- Forgetting to disable a contractor's privileged account after the project ends.
- Monitoring failed human logins while ignoring service-account behavior.
Exam Focus
When asked for the best way to reduce risk from privileged accounts, choose the option that reduces standing privilege, scopes the permission, enforces MFA, requires approval, logs the session, and auto-revokes. For service accounts, choose owner assignment, least privilege, vaulting, and rotation. "Permanent admin" and "shared password" answers are distractors.
Break-Glass and Tiered Administration
Every PAM program still needs break-glass (emergency) accounts for the moment the IdP or PAM portal itself is down. The exam-correct way to handle them: keep credentials sealed in a vault, alert on every checkout, force a password rotation after each use, and review the access afterward. A break-glass account that is used routinely is no longer an emergency account, it is an unmanaged super-user.
Tiered administration further limits blast radius by separating admin duties into tiers, so a workstation-support admin cannot log into a domain controller. This blocks credential-theft pivoting, where an attacker harvests a high-tier credential from a low-tier machine. Pair tiering with privileged access workstations (PAWs), hardened jump hosts dedicated to administrative work and isolated from email and web browsing.
Secrets Management in Pipelines
Modern environments push secrets into CI/CD pipelines and containers. SY0-701 expects you to recognize that hardcoded API keys in a Git repository are a finding; the fix is a secrets manager or vault that injects short-lived, ephemeral credentials at runtime and never persists them to disk or source control. Rotating a leaked key and scanning history for further exposure are the correct follow-ups.
Decision Checklist
- Is the access standing or time-boxed? Prefer time-boxed JIT.
- Is the scope full-admin or task-scoped? Prefer JEA.
- Is the secret human-set and static or vaulted and rotated? Prefer vaulted.
- Is the actor a named user or a shared login? Prefer named with elevation.
- Is the session recorded and revocable? It must be both.
An engineer needs temporary firewall administrator access for a planned change. Which approach best follows just-in-time access?
What is the best reason to replace shared administrator accounts with named accounts and controlled elevation?
Which controls are most appropriate for service accounts? Select three.
Select all that apply