This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 65%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Hey!
Very green noobie here...
HR has asked if it's possible to add a justification for login applicable to admins only. In other words, when an admin logs in, they must enter a single sentence reason for why they are logging in. Fully aware of all the logs available, and the lack of trust this discloses, but nevertheless...I just don't think the admins will remember to add a justification to a separate file... I know I would always forget!
Thanks for any sage advice.
Apologies this comment needs deletion, but I'm unable to do this.
Endpoint Privilege Management feature has some reasoning (text entery) but it only applies to Application installation, not all admin activities.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 69%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECZ%3C/text%3E%3C/svg%3E)
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
If they are worried about admin activities and justification, then PIM is the answer if you are licensed.
You can require justification for any account that elevates itself:
Example:
Thanks for this, I'd stumbled on PIM, so I was going in the right direction.
Our Admin accounts are currently set up as separate accounts to our day-to-day accounts. Can PIM still help as we'd not be elevating permissions?
Where might I start to find a guide on how to implement?
Hi, see the link above that I posted on how to start. PIM is intended for just in time elevating permissions however