9 December 2019


I recently completed an advanced PowerShell course with Microsoft.

One of the topics was “Just Enough Admin“, or Powershell JEA.

Powershell JEA

High privilege access to machines via PowerShell is a security risk.
JEA allows access to only the commands and components of Powershell needed to perform a task and no more. It accomplishes this through the combination of a role capability file and a session configuration file.

Role Capability

The role capability file determines WHAT can be done.
It is created using the command:
New-PSRoleCapabilityFile -Path .\MyFirstJEARole.psrc

Session Configuration

The Session Configuration file determines WHO can perform the role.
It is created using the command:
New-PSSessionConfigurationFile -SessionType RestrictedRemoteServer -Path .\MyJEAEndpoint.pssc

Once the session configuration file has been created and edited, it can be tested with:

Finally the configuration file can be registers using
Register-PSSessionConfiguration -Path .\MyJEAConfig.pssc -Name 'JEAMaintenance' -Force

Once registered a user with the specified role can access PowerShell on the JEA Endpoint with:

$nonAdminCred = Get-Credential
Enter-PSSession -ComputerName localhost -ConfigurationName JEAMaintenance -Credential $nonAdminCred