Technical overview
JEA is a new addition to the existing session configurations that were introduced with PowerShell 2 and PowerShell 3. JEA adds role-based access control (RBAC)Â on top of session configurations, so that sessions can be constrained more granularly. In addition to that, the ability to use temporary, virtual Run As accounts and group-managed service accounts has been added. Before that, only the entire endpoint could be executed with a different set of credentials.
It allows unprivileged user accounts to access high-privilege resources by allowing only a small subset of cmdlets with constrained parameters and transcription enabled. Done right, it also reduces the number of members of the local administrators group on a server, for example. Connecting to a restricted endpoint is as easy as the next code snippet implies:
Enter-PSSession -ComputerName SomeServer -ConfigurationName SupportEndpoint
When a user connects to a constrained JEA endpoint, WinRM authenticates the user and...
