JEA is a new addition to the existing session configurations that were introduced with PowerShell 2 and PowerShell 3. JEA adds role-based access control (RBAC) on top of session configurations, so that sessions can be constrained more granularly. In addition to that, the ability to use temporary, virtual Run As accounts and group-managed service accounts has been added. Before that, only the entire endpoint could be executed with a different set of credentials.

It allows unprivileged user accounts to access high-privilege resources by allowing only a small subset of cmdlets with constrained parameters and transcription enabled. Done right, it also reduces the number of members of the local administrators group on a server, for example. Connecting to a restricted endpoint is as easy as the next code snippet implies:

Enter-PSSession -ComputerName SomeServer -ConfigurationName SupportEndpoint

When a user connects to a constrained JEA endpoint, WinRM authenticates the user and creates an access token. After that, WinRM attempts to read the session configuration that the user has specified and tries to authorize the user against any allowed groups that are configured.

After the session configuration is applied, WinRM attempts to locate and apply any so-called role capabilities that describe what a user using JEA is capable of doing. It then goes on to create an access token for the virtual account or the group-managed service account that was configured.

Finally, the restricted JEA session is started and the wsmprovhost process is spawned with the identity of the virtual account or the group-managed service account.