Sessions leveraging JEA require some authoring before they can be used. There are at least two components needed: a session configuration and at least one role capability definition.

The first and most important part of authoring a new endpoint is to identify the requirements of your roles. For many operations people, this even includes defining what roles exist in the first place. One such role could be first-level user support that needs to reset user passwords and set NTFS permissions on specific paths. Maybe members of this role are also allowed to see the status of certain services, for example, the spooler service on a print server:

# Possible cmdlets for first-level user admin

# Modify user passwords only in specific search bases
$account = Get-ADUser -SearchBase 'OU=Users,OU=DepartmentXY,DC=contoso,DC=com' -SearchScope Subtree -Identity neilgaiman

$password = Read-Host -AsSecureString -Prompt 'Password please'
Set-ADAccountPassword -NewPassword $password -Identity...