Policy: Privilege Elevation Allow Policy for Admin CLI

This example shows a Privilege Elevation policy that allowlists a specific administrative CLI application so it can run with elevated privileges on targeted endpoints. It’s useful for demonstrating how to permit a known admin tool without forcing users through Approval, MFA, or justification prompts.

What This Policy Does

Applies a Privilege Elevation rule in enforce mode.
Targets:
- A specific user (one User ID, not a wildcard)
- A specific application (one App ID, representing an Admin CLI tool)
- One specific endpoint (one Machine ID)
On a match, it applies an ALLOW control for elevation (OnSuccess: ALLOW).
Does not require the user to acknowledge the notification.

Why It Behaves This Way

User-Scoped Allowlist: Because the user targeting is a specific User ID (not *), only that user is eligible to elevate the covered process.
Application-Scoped Allowlist: Because the application targeting is a single App ID (not *), only that specific CLI process is covered.
Enforced Allow: The policy is set to enforce and the success control is ALLOW, so matching elevation attempts are permitted.
Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior mainly depends on whether the user, machine, and application match.

Revise To Apply To Multiple Endpoints

Right now, machine targeting includes a single endpoint identifier. To apply this same allow behavior across multiple endpoints, update machine targeting so it includes more than one endpoint identifier. For example:

Before: Machine targeting lists one endpoint.
After: Machine targeting contains multiple endpoint identifiers.

No other changes are required to broaden endpoint coverage.

What The User Experiences

If the specified user runs the Admin CLI tool and tries to elevate on an in-scope endpoint, the elevation should succeed without approval or MFA prompts (because the policy explicitly allows it).
The policy includes a notification message, but acknowledgement is not required, so it shouldn’t add an extra “click to continue” step.

Important Notes And Common Adjustments

Fix The Notification Message: The current message references “monitor mode” and says MFA/justification/request will be required when enabled, but the policy is enforced and uses ALLOW. Update or remove the message so it matches actual behavior.
Decide If User Scoping Is Intended: If this allow should apply to more than one person, expand the user targeting (or use a wildcard / group-based approach where applicable).
Consider Certificate Constraints: If supported in your environment, restrict by signer/publisher/certificate so only trusted builds of the Admin CLI can be elevated.
Keep The App Targeting Stable: If the Admin CLI binary changes location/name/version frequently, consider how the App ID is generated in your environment so the allow continues to match the intended executable.

Example JSON

{
	"PolicyName": "_9_Elevation_AdminCLI",
	"PolicyType": "PrivilegeElevation",
	"PolicyId": "N0N1N2N3N4N5N6N7N8N9N",
	"Status": "enforce",
	"Actions": {
		"OnSuccess": {
			"Controls": [
				"ALLOW"
			]
		},
		"OnFailure": {
			"Command": ""
		}
	},
	"NotificationMessage": "A policy has been set to monitor mode.  When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
	"NotificationRequiresAcknowledge": false,
	"RiskLevel": 50,
	"Operator": "And",
	"Rules": [
		{
			"RuleName": "UserCheck",
			"ErrorMessage": "This user is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckUser()"
		},
		{
			"RuleName": "MachineCheck",
			"ErrorMessage": "This Machine is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckMachine()"
		},
		{
			"RuleName": "ApplicationCheck",
			"ErrorMessage": "This application is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckFile(false)"
		},
		{
			"RuleName": "DateCheck",
			"ErrorMessage": "Current date is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDate()"
		},
		{
			"RuleName": "TimeCheck",
			"ErrorMessage": "Current time is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckTime()"
		},
		{
			"RuleName": "DayCheck",
			"ErrorMessage": "Today is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDay()"
		},
		{
			"RuleName": "CertificateCheck",
			"ErrorMessage": "Certificate hash is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckCertificate()"
		}
	],
	"UserCheck": [
		"dC-zPInoYXq8mX--6lAIGA"
	],
	"MachineCheck": [
		"NSBYFNaHnhkIgVIazYhFXA"
	],
	"ApplicationCheck": [
		"67Qya8qqLQ5xs8o0Y53Vig"
	],
	"DayCheck": [],
	"DateCheck": [],
	"TimeCheck": [],
	"CertificationCheck": [],
	"Extension": {}
}

PreviousPolicy: File Access Justification Policy for Living Off the Land Process NextPolicy: Privilege Elevation Allow Policy for Notepad++

Last updated 2 hours ago

Was this helpful?

hashtagWhat This Policy Does

hashtagWhy It Behaves This Way

hashtagRevise To Apply To Multiple Endpoints

hashtagWhat The User Experiences

hashtagImportant Notes And Common Adjustments

hashtagExample JSON