JIT Admin Access for tier model account prefixes

[freefox20000]

I have a question on LithNet Access Manager.
In our organization, we use accounts with AS-(for servers) AW- (for workstations) to access different resources. Is it possible in the rules of the functionality of the Just-In-Time Administrative Access to provide addition of prefixes from accounts?
The user goes to the Access Manager portal with the Corp\p.born account, in the Rule to access the workstations, when adding an account to the access group, the prefix will be added to the settings. In this example, Corp\aw-p.born.
According to Microsoft Recommendations, different accounts are needed to administer different levels of resources.
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges

[ryannewington]

Using different accounts is definitely best practice. It's Good to see!

AMS can't do what you are after, as it operates on the user account that is logged in, but I'm not sure you'd want it to either.

If Im an attacker and I manage to steal the creds for p.born, then I could log into access manager and become as-p.born or aw-p.born. Effectively negating the use of having seperate accounts.

Having seperate accounts is good, but they need to be kept separate, and have no relationship to each other to provide a level of security though isolation.

The safe approach is to log into AMS with your aw account when you are seeking to become a workstation admin, and your as account when seeking to become a server admin. Keep those non-privileged accounts away from AMS entirely.