198 questions
Endpoint Privilege Management feature has some reasoning (text entery) but it only applies to Application installation, not all admin activities.
Add justification to Admin Login
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 65%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Andrew Williams
20
Reputation points
Hey!
Very green noobie here...
HR has asked if it's possible to add a justification for login applicable to admins only. In other words, when an admin logs in, they must enter a single sentence reason for why they are logging in. Fully aware of all the logs available, and the lack of trust this discloses, but nevertheless...I just don't think the admins will remember to add a justification to a separate file... I know I would always forget!
Thanks for any sage advice.
Microsoft Security | Intune | Compliance
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,143 questions
{count} votes
-
Andrew Williams 20 Reputation points
2023-09-06T09:22:37.6666667+00:00 Apologies this comment needs deletion, but I'm unable to do this.
Sign in to comment
Accepted answer
-
Pavel yannara Mirochnitchenko 13,336 Reputation points MVP2023-09-01T18:13:12.7766667+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 69%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECZ%3C/text%3E%3C/svg%3E)
clown zee 0 Reputation points2023-09-04T17:06:00.9233333+00:00 -
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-09-01T18:27:41.5933333+00:00 If they are worried about admin activities and justification, then PIM is the answer if you are licensed.
You can require justification for any account that elevates itself:
Example:
-
Andrew Williams 20 Reputation points
2023-09-04T10:40:02.59+00:00 Thanks for this, I'd stumbled on PIM, so I was going in the right direction.
Our Admin accounts are currently set up as separate accounts to our day-to-day accounts. Can PIM still help as we'd not be elevating permissions?
Where might I start to find a guide on how to implement?
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-09-04T14:12:48.17+00:00 Hi, see the link above that I posted on how to start. PIM is intended for just in time elevating permissions however
Sign in to comment -