This week is all about highlighting some recent functionalities that have been introduced in Endpoint Privilege Management (EPM). The most important functionality is probably the newly supported file extensions of .msi and .ps1. That provides a larger footprint for EPM in the world of often elevated file extensions. The same experience as already known for executables. Besides that, there is more new functionality within EPM that might even be more powerful. That functionality is support approved elevations. Support approved elevations allow IT administrators to require approval before an elevation is allowed. That makes sure that when a user tries to run a file in an elevated context that the user is prompted to submit an elevation request. That request is sent to Intune for a review by the Intune administrator. When that request is approved by the IT administrator, the user is notified on their device and can run the file in elevated context. A new and much requested experience. This post will focus on the main configuration options around this experience, followed with a brief look at monitoring new elevation requests. This post will end with experiencing an elevation request in action.
Note: Keep in mind that Endpoint Privilege Management is part of the Intune Suite and requires additional licensing.
Configuring support approved elevations
When looking at configuring support approved elevations, it’s good to start with the different configuration options. Support approved elevations can be configured as part of the default client behavior, or as part of an elevation rule. No matter the chosen path, the requests that are submitted all require an approval on a case-by-case basis.
Configuring support approved elevations as part of the default client behavior
The most generic option is configuring support approved elevations as part of the default client behavior. That configuration makes support approved elevations part of the default behavior for every elevation. The following eight steps walk through the creation of the default client behavior by configuring a elevation settings policy. The focus is on the elevation response.
- Open the Microsoft Intune admin center portal navigate to Endpoint security > Endpoint Privilege Management
- On the Policies tab of the Endpoint security | Endpoint Privilege Management page, click Create Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile: Select Elevation settings policy as value
- On the Basics page, specify a valid name to distinguish the policy from other similar policies and click Next
- On the Configuration settings page, as shown below in Figure 1, provide at least the following information and click Next
- With Endpoint Privilege Management switch the slider to Yes to enable EPM
- Default elevation response: Select Require support approval to configure the required behavior
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the required assignment by selecting the applicable group and click Next
- On the Create + Review page, review the configuration and click Create
Note: This configuration makes sure that every elevation type requires support approval, by default.
Configuring support approved elevations as part of an elevation rule
The file specific option is configuring support approved elevations as part of a file specific elevation. That configuration makes support approved elevations part of the behavior for a file specific elevation. The following eight steps walk through the creation of a file specific elevation by configuring a elevation rules policy. The focus is on the elevation response.
- Open the Microsoft Intune admin center portal navigate to Endpoint security > Endpoint Privilege Management
- On the Policies tab of the Endpoint security | Endpoint Privilege Management page, click Create Policy
- On the Create a profile page, provide the following information and click Create
- Platform: Select Windows 10 and later as value
- Profile: Select Elevation rules policy as value
- On the Basics page, specify a valid name to distinguish the policy from other similar policies and click Next
- On the Configuration settings page, as shown below in Figure 2, add a new rule, provide at least the following information and click Next
- Rule name: Specify a valid and unique name to distinguish the rule
- Elevation type: Select Support approved to configure the required elevation type
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the required assignment by selecting the applicable group and click Next
- On the Create + Review page, review the configuration and click Create
Note: This configuration makes sure that specific elevation types requires support approval.
Experiencing support approved elevations
Experiencing support approved elevations is pretty straight forward. But for a complete overview it’s good to walk through the whole process, from the user experience until the administrative experience. And not just that, but also including some directions on how to actually monitor those support approved elevations.
Requesting an application using a support approved elevation
It all starts with the user that wants to install a specific application. No matter if that application is part of the support approved elevation in the default client behavior, or a specific elevation rule. The user simply right-clicks the application that should be installed and provides a justification to request the application (as shown below in Figure 3).
Monitoring recent elevation requests
Once the user requested the application, the elevation request ends up in the Microsoft Intune admin center portal. The easiest method at this moment to monitor that, is by actually looking at the portal. That, however, might not be the most efficient way. So, it might be good to look at some automation around that. When looking at automation, an easy option could be using a Logic app that sends adaptive cards via Microsoft Teams (similar to this idea for Windows Autopilot). For that it’s important to understand the required queries in Microsoft Graph. Below are some examples for querying elevation requests.
https://graph.microsoft.com/beta/deviceManagement/elevationRequests?$filter=requestCreatedDateTime ge yyyy-MM-ddTHH:mm:ssZhttps://graph.microsoft.com/beta/deviceManagement/elevationRequests?$filter=status eq 'pending' and requestCreatedDateTime ge yyyy-MM-ddTHH:mm:ssZNote: When using a Logic app, use @{formatDateTime(addDays(utcNow(),-1),’yyyy-MM-ddTHH:mm:ssZ’)} to query for the elevation requests of the last day.
Approving the elevation request
When a new elevation request is available, the elevation request can be approved (or denied) in the Microsoft Intune admin center portal. That approval can be achieved by any user with at least view elevation requests and modify elevation requests permissions. Simply navigate to Endpoint Security > Endpoint Privilege Management > Elevation requests, as shown below in Figure 4, select the elevation request and click Approve.
Besides that, it’s also possible to automate the approval of the elevation request. Of course, not completely, as that would defeat the purpose of an elevation request, but for example via an adaptive card in Microsoft Teams (similar to this idea for retiring devices). For that it’s important to understand the required queries in Microsoft Graph. Below is an some examples for approving an elevation requests.
https://graph.microsoft.com/beta/deviceManagement/elevationRequests/{elevationRequestId}/approveNote: Simply replace {elevationRequestId} with the ID of the elevation request that should be approved.
Experiencing the support approved app
Once the elevation request is approved, it’s time to have a look at the user experience. In general, after a few minutes the user will receive a notification message on their device to inform about the approved elevation request (as shown below in Figure 5).
More information
For more information about support approved elevations in Endpoint Privilege Management, refer to the following docs.
- Learn about using Endpoint Privilege Management with Microsoft Intune | Microsoft Learn
- Use EPM support approvals for file elevation requests with Intune | Microsoft Learn
- List privilegeManagementElevationRequests – Microsoft Graph beta | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
I’m planning on rolling this out to a few users tomorrow, so this article came just in time! This is a great overview (as all of your articles are). I was wondering about prompting alerts when someone submits an Elevation Request, so I especially appreciate the tip on potentially using adaptive cards. Thank you!
Thank you, John! Good to hear that it was helpful!
Regards, Peter
I’m interested in:
1. Notifications to our security team, when elevation is requested – (is email possible, or a notification pop in Intune) ?
2. Some sort of output/email as a result of the elevatio request by the user, that we can configure send to a well known ticketing system.
I’m struggling to get definitive answers to these questions but the lack of mention of either anywhere suggest they’re not possible.
Thoughts ?
Hi Gav,
That’s part of the post. You have to use a custom solution to monitor the elevation requests. At least when you don’t want to manually refresh the console all the time.
Regards, Peter