The 2026 Zero Trust Report surveyed 851 IT and cybersecurity professionals. The top finding: 56% identified employee over-privilege as the leading cause of unauthorized access. Another 52% admitted that excessive entitlements are widespread across their organizations.
For mortgage companies, standing admin access creates two problems at once. It gives attackers a persistent target. And it gives examiners a compliance finding. Auditors checking GLBA, SOX, or NCUA requirements want to see that privileged access is limited, time-bound, and logged. Permanent admin accounts fail all three tests.
Just-in-time (JIT) admin access fixes this by granting elevated permissions only when someone needs them, for exactly as long as the task takes, with every action recorded. This guide covers how JIT works in Microsoft Entra PIM, how mortgage companies are using it to satisfy compliance requirements, and a step-by-step rollout plan.
Standing admin access means someone has elevated permissions 24/7, whether they are actively using them or not. In a typical mortgage company, this looks like loan processing managers with Global Admin rights, compliance auditors with permanent Exchange Admin access, and IT contractors with lingering admin accounts from projects completed months ago.
Each of those accounts is a target. If an attacker steals those credentials through phishing or credential stuffing, they inherit every permission the account holds. No time limit. No approval required. No audit trail beyond the initial login.
The 2026 Zero Trust Report found that only 17% of organizations have fully implemented Universal ZTNA despite 82% calling it essential. The gap is 65 percentage points. Over-privileged access is the most common reason organizations stall on Zero Trust implementation.
JIT access replaces permanent admin rights with a request-and-approve workflow. The concept is simple:
The user never holds standing privileges. The attack window shrinks from "always" to "only during approved tasks." And your audit trail shows exactly who had what access, when, and why.
Microsoft Entra Privileged Identity Management (PIM) is the JIT engine built into Microsoft 365. It requires an Entra ID P2 or Entra ID Governance license.
PIM also supports group-based access. Create a security group mapped to a set of permissions, then manage group membership through PIM. Users request membership, get approved, and receive time-limited access to everything the group controls. One activation grants access to multiple resources.
JIT admin access maps directly to requirements across multiple regulatory frameworks that mortgage companies face.
Requires administrative, technical, and physical safeguards for customer information. JIT enforces least-privilege access with documented approval workflows and automatic expiration.
Requires internal controls over financial reporting and access management. JIT provides tamper-proof audit trails showing who accessed financial systems, when, and with what justification.
Expects institutions to implement access controls that limit privileges to the minimum needed. JIT directly satisfies the "least privilege" and "access review" requirements banks and credit unions face during IT examinations.
Credit unions must demonstrate that privileged access is managed and monitored. JIT activation logs provide the evidence NCUA examiners need to see.
With state enforcement expanding in 2025-2026, California CCPA amendments now require cybersecurity audits. New York's DFS cybersecurity regulation mandates access privilege limitations. JIT provides the technical controls and audit evidence both states require.
Model 1: Admin-Only JIT. Start with Global Admin, Exchange Admin, SharePoint Admin, and Security Admin roles. This is the highest-risk, highest-value starting point. Most mortgage companies have 3-8 standing admin accounts that should be converted to eligible assignments.
Model 2: Compliance Auditor JIT. Give your compliance team eligible access to audit logs, eDiscovery, and Purview. They activate when running reviews and lose access when reviews end. This satisfies the separation-of-duties requirement many examiners check.
Model 3: Third-Party Contractor JIT. External IT consultants and managed service providers get eligible assignments rather than standing access. Activation requires internal approval, and the window matches the contracted service period. Third-party access is implicated in roughly 60% of breaches.
Model 4: Full-Stack JIT. Extend JIT to every elevated role in your tenant. This includes application administrators, Teams administrators, and Intune administrators. Requires mature change management processes but delivers the strongest compliance posture.
Step 1: Audit current admin accounts. Run an access review to identify every account with standing admin privileges. Microsoft recommends limiting privileged role assignments to fewer than 10. Most mortgage companies exceed this.
Step 2: Convert high-risk roles first. Move Global Admin and Security Admin accounts to eligible assignments in PIM. Set activation windows between 1 and 4 hours. Require MFA at activation.
Step 3: Define approval workflows. For each role, designate at least two approvers. Document who approves what and the expected response time. Publish this to your team so they know the process before they need it.
Step 4: Enable notifications and monitoring. Configure PIM to send email alerts when privileged roles are activated. Route these to your security team or SIEM for real-time monitoring.
Step 5: Schedule quarterly access reviews. Use PIM's built-in access review feature to evaluate whether each eligible assignment is still needed. Remove eligibility for users who have not activated in 90 days. Document review outcomes for your audit file.
Just-in-time admin access grants elevated permissions only when a user needs them and revokes them automatically when the task is complete. Instead of holding permanent admin rights, users request activation through an approval workflow. Every activation is logged with timestamps, justifications, and approver identities, creating the audit trail mortgage compliance examiners require.
Microsoft Entra Privileged Identity Management marks users as eligible for roles without granting active permissions. When users need access, they request activation through the Entra admin center, provide a business justification, and pass MFA verification. An approver reviews the request, and if granted, the role activates for a defined time window before automatically expiring.
GLBA Safeguards Rule, SOX Section 404, FFIEC IT Examination Handbook, NCUA cybersecurity requirements, and state regulations including California CCPA and New York DFS all require or recommend least-privilege access controls. JIT admin access satisfies these requirements by eliminating standing privileges, enforcing approval workflows, and producing tamper-proof audit logs.
Microsoft Entra PIM requires either a Microsoft Entra ID P2 license or a Microsoft Entra ID Governance license. These licensing tiers enable eligible role assignments, time-bound activation, approval workflows, access reviews, and the audit history capabilities that support compliance documentation for mortgage regulatory examinations.
Standing admin privileges are the weakest link in most mortgage company security programs. They give attackers persistent targets. They give examiners compliance findings. And they are fixable with tools already included in Microsoft 365 licensing.
Start with your Global Admin accounts, convert them to JIT through Entra PIM, and expand from there. The audit trail writes itself.
Talk to a mortgage IT specialist about implementing just-in-time admin access for your organization.