JEA for Entra ID

david-jones1 · January 10, 2024, 5:30pm

Has any one used JEA for Entra ID joined devices?

I have a local group setup for JEA and the Enta ID user was added to that group. but I still get access denied.

dotnVo · January 10, 2024, 6:48pm

Hey David,

Welcome back!

Share your code/config of your JEA setup if you would and be sure to format it as code. Also I am not sure if I quite understand the issue you described so if you could add clarifying details that would help! Thank you!

david-jones1 · January 10, 2024, 7:37pm

the important lines.

NavPrintRole.psrc
VisibleCmdlets = @{ Name = ‘Set-ItemProperty’; Parameters = @{ Name = ‘Path’; ValidateSet = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge' }, @{ Name = ‘Name’; ValidateSet = ‘UseSystemPrintDialog’ } , @{ Name = ‘value’; ValidateSet = ‘1’,‘0’ } }
VisibleProviders = ‘Registry’

NavPrintJEAEndpoint.pssc
RunAsVirtualAccount = $true
RoleDefinitions = @{
‘0F33HH423413BF\NavPrintJEA’ = @{ RoleCapabilities = ‘NavPrintRole’ }
}
0F33HH423413BF is the device name. and NavPrintJEA is a local group

the only meber of the group is my user with the DOMAIN\USER format.
this account is an Entra ID (Azure AD) account and the device is Jointed to Entra ID
so the user is NOT a local account.

Enter-PSSession -ConfigurationName NavPrintJEA -ComputerName localhost -Credential $cred
Enter-PSSession : Connecting to remote server localhost failed with the following error message : Access is denied.

Enter-PSSession -ConfigurationName NavPrintJEA -ComputerName localhost
Connecting to remote server localhost failed with the following error message : WinRM cannot process the
request. The following error with errorcode 0x8009030e occurred while using Negotiate authentication: A specified logon
session does not exist. It may already have been terminated.

dotnVo · January 10, 2024, 8:57pm

Please format your code: How to format code on PowerShell.org

You are in territory I haven’t tested/played around with I think. It sounds like you’re configuring JEA on a system bound to Entra (cloud) and referencing a local group on that same system to give access to the endpoint. I’ve only used JEA on premise, and always with a corresponding security group. I also don’t really have a way to test to see if I can replicate your findings thus far.

Just to be 100% positive, is the system running the jea config also on 0F33HH423413BF? I assume so because you’re using a VirtualAccount as a runas account but wanted to make sure.

Have you used JEA and configured a session with a local group before from a system? If not, just for kicks, would you be willing to try a non localgroup with that user added instead? I wonder if you can reference a security group from the cloud? Based on the docs, in theory you could also reference a specific account and not a group, may be another thing to try to rule out things. What all else have you tried to get it to work?

system · February 9, 2024, 8:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JEA with Powershell PowerShell Help	2	120	December 15, 2016
JEA RunAsVirtualAccountGroups PowerShell Help	2	130	March 17, 2016
Issues with JEA setup PowerShell Help	0	142	February 8, 2019
Error using JEA on a disconnected, not domain joined, stand alone windows 10. PowerShell Help	0	153	August 10, 2019
Endpoint Access Denied when using RunAsCredential PowerShell Help	2	177	October 20, 2016

JEA for Entra ID

Related Topics