Policy: Require Approval + MFA for All Privilege Elevations

This example shows a Privilege Elevation policy that intercepts elevation attempts and only allows the elevation to proceed after both:

an approval is granted, and
the user completes MFA

It’s useful for demonstrating a “strong gate” around admin rights across a set of endpoints (for example, a pilot group, a department, or all workstations).

What this policy does

When a user on any in-scope endpoint tries to run something with elevated privileges (“Run as administrator” or an elevation prompt):

The request is evaluated by the Privilege Elevation policy engine.
Because the policy is broadly scoped (all users, all applications), it matches most elevation attempts on those endpoints.
The policy requires Approval + MFA before allowing the elevation to succeed.
The user sees a notification prompt and must acknowledge it.

Why it behaves this way

This policy is intentionally written as a catch-all for elevation on a group of endpoints:

Enforced: The policy is active and will apply controls (not just log).
Scoped to multiple machines: Instead of a single machine identifier, the machine filter contains multiple endpoint identifiers. Any endpoint in that list is in scope.
All users: A wildcard user filter matches any user account.
All applications: A wildcard app filter matches any executable attempting elevation.
Built-in checks: Standard checks (user, machine, file, date/time/day, certificate) are present. When those constraints are not narrowed (for example, no date/time/day/cert restrictions are provided), the policy effectively applies broadly.

What changes vs. the single-endpoint version

The only functional change is the machine targeting:

Before: the policy matched one endpoint (one machine identifier).
After: the policy matches any endpoint whose identifier appears in the machine list.

Everything else (wildcards for users/apps and the approval + MFA requirement) stays the same.

What the user experiences

Most elevation attempts on the targeted endpoints will result in an approval workflow.
After approval is granted, the user must complete MFA before the elevation is allowed.
The user must also acknowledge the notification prompt.

Important notes and common adjustments

High prompt volume: Because it applies to all elevation attempts, it can generate frequent approvals and MFA challenges—especially when expanded to many endpoints.
How to narrow scope:
- Restrict ApplicationCheck to specific executables (installers, admin tools, etc.)
- Restrict UserCheck to a specific group or set of users
- Add certificate/publisher constraints if you want to treat signed vs. unsigned apps differently
- Add time/day/date restrictions if approvals should only happen during certain windows

Example JSON

{
	"PolicyName": "_1_AllElevations",
	"PolicyType": "PrivilegeElevation",
	"PolicyId": "N0N1N2N3N4N5N6N7N8N9N",
	"Status": "enforce",
	"Actions": {
		"OnSuccess": {
			"Controls": [
				"APPROVAL",
				"MFA"
			]
		},
		"OnFailure": {
			"Command": ""
		}
	},
	"NotificationMessage": "A policy has been set to monitor mode.  When this policy is enabled, [mfa, justification, request] will be required to run this process as an administrator.",
	"NotificationRequiresAcknowledge": true,
	"RiskLevel": 50,
	"Operator": "And",
	"Rules": [
		{
			"RuleName": "UserCheck",
			"ErrorMessage": "This user is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckUser()"
		},
		{
			"RuleName": "MachineCheck",
			"ErrorMessage": "This Machine is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckMachine()"
		},
		{
			"RuleName": "ApplicationCheck",
			"ErrorMessage": "This application is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckFile(false)"
		},
		{
			"RuleName": "DateCheck",
			"ErrorMessage": "Current date is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDate()"
		},
		{
			"RuleName": "TimeCheck",
			"ErrorMessage": "Current time is not covered by this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckTime()"
		},
		{
			"RuleName": "DayCheck",
			"ErrorMessage": "Today is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckDay()"
		},
		{
			"RuleName": "CertificateCheck",
			"ErrorMessage": "Certificate hash is not included in this policy",
			"RuleExpressionType": "BuiltInAction",
			"Expression": "CheckCertificate()"
		}
	],
	"UserCheck": [
		"*"
	],
	"MachineCheck": [
		"NSBYFNaHnhkIgVIazYhFXA"
	],
	"ApplicationCheck": [
		"*"
	],
	"DayCheck": [],
	"DateCheck": [],
	"TimeCheck": [],
	"CertificationCheck": [],
	"Extension": {}
}

PreviousPolicy: Privilege Elevation Justification Policy for Keeper Utilities NextPolicy: Require Approval to Elevate a Specific RunDLL32 Control-Panel Action

Last updated 2 hours ago

Was this helpful?

hashtagWhat this policy does

hashtagWhy it behaves this way

hashtagWhat changes vs. the single-endpoint version

hashtagWhat the user experiences

hashtagImportant notes and common adjustments

hashtagExample JSON