Use cases
There are many use cases for JEA. Security advisors commonly recommend against using privileged accounts on standard workstations to mitigate pass-the-hash (lateral account movement) attacks and similar. Granting unprivileged users access to PowerShell endpoints constrained with JEA can mitigate the risk of compromising administrative credentials.
In many enterprises, it is common practice to deploy jump hosts or management servers for DMZs, domains, and other units. JEA can in this case be used to provide storage administrators with storage cmdlets on a jump host, allowing a connection to a specific set of servers, for example.
Another use case that uses several connected endpoints is an offline domain join. One server with a connection to a writable domain controller hosts an endpoint that generates offline domain join (ODJ) requests (ODJ files), and a constrained endpoint in a DMZ connects to the endpoint on the internal network to download the request file.
