Empower users, streamline workflows.

Discover our Core Features

Just-In-Time Elevation

Admin By Request provides multiple avenues for users to request administrative access when they need it. Run as Admin is a feature which elevates a single application, whereas an Admin Session grants the user elevated privileges on their device for a period of time.

Auto-Approval

For large enterprises, manually approving each individual request for elevation may not be the most resource-efficient method. With Machine Learning and Artificial Intelligence Auto-Approval, you can allow the system to decide which applications should be automatically approved.

Remote Access

The seamless extension of our renowned Endpoint Privileged Access Management (PAM) solution. Building upon our legacy of user-friendly and intuitive cybersecurity tools, our Remote Access Product empowers businesses with effortless connectivity and unparalleled security.

Skip the reading:

Elevation Methods

Run as Admin

Per App Elevation

Users can right-click the application they want to run with elevated privileges and select Run as Admin from the menu.

Admin By Request provides the ability to perform ‘per app’ elevations. The main benefit of this is you are giving the user the ability to elevate just a single application, rather than granting elevated access to the entire system. Another benefit of ‘Run As Admin’ mode is that it works the exact the same way as the default Windows Run as Admin function, so there is minimal need to ‘re-educate’ users in how to get elevated rights when running apps. ‘Run As’ elevations can be configured to require the user to fill out a ‘reason’ for the elevation, and / or require manual approval to run the application elevated.
You have the option to assign different users / groups of staff different combinations of these options, with the use of our sub-settings functionality. So when you need to manage the granting of elevation ‘per application’ and not the entire system, the ‘Run As Administrator’ method is the right choice.
Documentation
Discover our core features. A young male sits with his back to the camera typing on a keyboard, with three screens in front of him.

Admin Session

Session Elevation

Users can double-click the Admin By Request desktop icon or select the icon from tray tools and confirm that they want to initiate an Admin Session.

Any user given full session elevation gets full local admin rights on their system. Full session elevation mode is ideal for situations such as when elevated access to ‘system’ resources such as drivers or printers etc. is required, when a user needs elevation only for a specific amount of time, or when a Developer requires the use of multiple elevated applications.
As with ‘Run As’ mode, everything in the elevation session is audited, so you can see the reason why the person needs the elevation, anything installed, uninstalled, or run. Full Session elevation mode includes the ability to block the elevation of any system files (CMD.EXE etc.) whilst running elevated, and the ability to ‘force terminate’ any elevated processes once the timer has run down.
Documentation

PIN Code

Provide Offline Access

Offline users, or those not permitted to use other Admin By Request features for elevation, can instead obtain a challenge/response PIN.

This feature is ideal for any user who is unable to gain elevation via Run as Admin or initiate an Admin Session due to being offline – an issue which occurs when a company has Require Approval turned on; requests for elevated privileges cannot be approved by an IT admin because they cannot be sent from the endpoint when that endpoint is not connected to the Internet. The PIN Code feature is also designed for users who are prevented from using the Admin By Request Run as Admin or Admin Session features to gain elevation because they are not within the scope of users permitted to use these features.
These users likely rarely require elevation within their role, but may have the occasional need to perform one-off admin tasks such as printer installation. With the feature, one PIN is generated by the end user and the other by an IT admin. When used together (i.e., entered into the Admin By Request popup window on the end user’s device), offline or out-of-scope elevation is granted.

App Control

Pre-Approval

Create Whitelists

Users who request to run Pre-Approved applications as administrator do not need to wait for approval - instead, it's granted immediately.

Admin By Request comes with sophisticated approval workflows built in, which enable portal administrators to process each elevation request based on a ‘reason’ and to then decide on whether or not to approve it. But what if you have a known application, perhaps legacy, that some staff need to use all the time? You don’t want to have to ‘workflow’ these requests, but at the same time you don’t want there to be a Local Admin ‘free buffet’ either. This is the ideal scenario for application pre-approval (previously known as ‘whitelisting’), which allows any user to run a pre-approved program without having to gain full local admin rights to their system.
For more granular control, you can deploy a sub setting and create additional pre-approval entries for those users in that sub setting – so if you need to pre-approved list an application for engineering, you would add this only to the engineering sub setting pre-approved list, so only that department could auto elevate it.
Documentation

AI Approval

Auto-Approve Trusted Apps

Each application has a score based on how trustworthy it and the app vendor is. Apps which rank above a pre-set score are auto-approved.

Close-up on the numerical pad of an orange and black keyboard.
Most of the applications run with elevated privileges are the same across the board – and these common apps are generally safe for elevation. So, the question was, how could we use this data to help each customer? We created a system which designates applications two scores between 0 and 100% based on both the application and its vendor’s popularity. A very well-known app from a reputable vendor (e.g., Microsoft Office) would score in the higher end of the scale, whereas a rarely used app from an unknown vendor would receive a low score. The higher each of the scores, the more trustworthy the app is considered to be, and the less risk attached in allowing it to be automatically approved by the Admin By Request AI engine.
Very low scores (i.e., 0-1) indicate ‘exotic’ apps – rare software from unknown vendors which are much more likely to have malware attached. These exotic applications are those that you would not want to be auto-approved by the AI engine, and instead approved manually on a case-by-case basis. The idea with the scoring system is to allow customers to set a score of their choosing, and then enable AI Auto-Approval for every application which meets this score or higher – using the AI engine to approve applications that are very common, and therefore, likely safe.
Documentation

Machine Learning

Reduce Manual Workload

Each time a user request to run an application as administrator is approved, the system learns what is safe for auto-approval.

The idea behind Machine Learning Auto-Approval is to kill two birds with one stone: why don’t we allow customers to build a Pre-Approved list, as their employees use the software? Let’s say a user requests to elevate an application, and an IT Admin approves this request. What the IT Admin is essentially saying is that the application in question is safe to run; in other words, it likely belongs on the Pre-Approved list. So why not make a rule that if approval for an application elevation is granted X amount of times, that application is now automatically approved from then on?
This is where the Machine Learning feature comes in – it allows the system to handle creating the list of applications that are safe for approval as applications are used. Customers can set a number of times that applications need to be manually approved by an IT Admin before they are added to the Machine Learning Auto-Approved list.
Documentation

Available with Server Edition

Remote Access

Miniature city lit with orange lights representing Admin By Request Remote Access
Admin By Request Remote Access is a groundbreaking, feature-rich addition to our Server Edition product, which leverages familiar Admin By Request approval flows and features to enable secure, browser-based connections to servers and network endpoints.
This solution revolutionizes the way IT administrators manage and access critical systems by eliminating reliance on traditional VPNs and jump servers while maintaining a secure and segregated setup, with all features and configurations accessible from the intuitive and familiar Admin By Request Portal.
Read More

Verification

Endpoint MFA/SSO

Enforce Business Policies

Instead of confirming or authenticating using account credentials, users can be forced to undertake MFA and use SSO with your chosen IdP.

As cyberthreats increase and advance, so do compliance and security requirements specified by governing bodies. Most organizations now have policies around MFA and Single Sign-On (SSO) in place, both to protect their IT environment and to ensure adherence to various compliance regulations. Such policies or business rules can prove cumbersome for all involved: enforcing that they’re followed may present a problem for IT Admins, whereas abiding by them may seem annoying and unnecessary to the end user. Admin By Request PAM solution now has endpoint MFA and SSO capabilities built-in, allowing customers to configure and enforce business rules around these two security features from within their User Portal.
The feature directs users to the configured SSO provider and requires MFA when they request elevation. Admin By Request then verifies that SSO is complete according to the company’s business rules, and the requested elevation is granted. The feature is ideal for enabling organizations to enforce business rules and ensure security and compliance. It enforces MFA on the endpoint prior to elevation – a requirement for UK organizations who must adhere to the UK Cyber Essentials framework. On the end user side, this feature vastly reduces the number of steps the user needs to take by essentially allowing them to bypass Windows Authenticate and use SSO in order to obtain elevated privileges: the same end result, with fewer clicks. Users no longer have to wait for approval (as is the case in Authenticate / Require Approval mode) – as soon as SSO is complete, approval is granted.
Half a laptop in the dark, with an orange light-up keyboard.
Documentation

Device Owner

Lock Device to One User

The end user, or IT support person working on the PC, would enter PIN 1 into the User Portal, and use this to generate PIN 2.

In larger organizations with thousands of computers, often used by multiple people, you may want to want to restrict the ability for users to gain privileged access to only the predominant user of that device – particularly if your Settings and Sub-Settings for gaining admin rights are on the more lenient side (e.g., you don’t require approval for elevation). As the name suggest, this feature sets a user as the device owner, and can then be used (if desired) to lock down the device to only that person. The way it works is the first non-administrator that logs in to the device (prior to Device Owner being set) becomes the Device Owner.
Once a device has an Owner (listed in the Inventory and Reports pages of your User Portal), you then have the ability to configure Settings to allow only the specified Device Owner to use Admin By Request elevation features on that device (i.e., Run as Admin and Admin Session). These settings can be applied to all users across the board (Global Settings), or to certain users and groups (Sub-Settings). The Device Owner can be viewed, changed to the currently logged in user, and released altogether so that the next non-administrator that logs in takes up ownership.
Documentation

Support

Break Glass/LAPS

Grant Emergency Local Admin Access

Generate a local admin account in an emergency or safely provision Just-In-Time administrator accounts for specific purposes or third-party users.

The new feature is based on the idea behind Microsoft’s Local Administrator Password Solution (MS LAPS). If you’re familiar with MS LAPS, you’ll know how it works and why it’s necessary: hackers love the tried and tested technique of exploiting administrator accounts, either via horizontal or vertical privilege escalation; MS LAPS works to prevent this by utilizing Active Directory (AD) to manage admin account passwords across all endpoints, with a key component of management being the forced rotation of passwords for each admin account; when access to an admin account is needed, system admins can retrieve stored passwords from AD and log in to the administrator account.
The reasoning is valid, but MS LAPS leaves several security (and usability) gaps that we thought needing filling. The Break Glass feature takes the functionality of MS LAPS and turns it into a much more attractive option: it creates a new, temporary, one-time-use Administrator account on an endpoint, that works on domains, Azure AD, and stand-alone, which Audits all elevated activity, and terminates within a pre-defined amount of time or on log out.
Documentation

Provide Remote Support

Helpdesk personnel can remotely connect to end user devices and provide the required assistance using Admin By Request.

Support Assistance

Support Assistance is the feature that helps your Helpdesk to better service users. A user may need helpdesk support for a number of reasons: they may not be permitted to use Admin By Request elevation features such as Run as Admin or Admin Session, they may not know where to find the software they need, they may not be tech-savvy enough to self-service using Admin By Request, or they may simply refuse to take on the responsibility of installing software on their work device knowing they will be audited.

Whatever the reason, Support Assist allows your Helpdesk to remotely connect to end user devices and use Admin By Request features to provide assistance. Personnel who are remote-connecting have the same abilities and restrictions within Admin By Request on the end user’s device that they have on their own device (i.e., the Admin By Request scope and settings applied to Helpdesk personnel are applied globally).

Documentation
A handshake with a digital hand.

Malware Protection with

OPSWAT MetaDefender Cloud icon.
When a user requests to run a file as administrator, malware checks are performed by more than 35 anti-malware engines before it’s executed, enabled through integration with OPSWAT’s MetaDefender Cloud API. Here are some of the anti-virus engines that scan your files.
Read More

Clean Up Local Admins

Staying on top of your local admin accounts is no easy feat. This is particularly true for older, larger companies that have created admin accounts when onboarding new employees and have been unable to keep track of them over time. The problem that results is an untracked number of rogue accounts that have elevated access, but may not be being used, monitored, or protected adequately. Leaving them be is a dangerous option, but even more so is eliminating them all and unintentionally rendering your endpoints unusable. With Admin By Request version 7.3, we’ve added a feature that makes the job of tidying up your loose ends (i.e., loose admin accounts) easy: Clean Up Local Admins.
With Admin By Request version 7.3, we’ve added a feature that makes the job of tidying up your loose ends (i.e., loose admin accounts) easy: Clean Up Local Admins.
Read More

Discover Our Core Features

The tools you need to empower your team, reduce helpdesk tickets, streamline workflows, and simplify compliance
Free Plan
Book a Demo

One Powerful Platform To Solve Multiple Problems

Product Key:

Endpoint Privilege Management

Secure Remote Access

Boost Productivity

Run as Admin

Admin Session

PIN code

Pre-approval

Application blocking

Automate & Streamline

AI auto-approval

Machine Learning

IdP integration

Clean Up Local Admins

Unattended Access Discovery Module

Lock Down Security

Break Glass/LAPS

Device Owner

Just-in-time elevation

Malware scanning (37+ engines)

Tamper prevention

Support Your Team

Remote support

Screen sharing and control

Multi-monitor support

Controlled vendor access

Mobile application

Simplify Compliance

Full audit logging

Session recording

MFA/SSO endpoint enforcement

Reason tracking

Granular privacy

ALL AVAILABLE WITH OUR LIFETIME FREE PLAN

25 Seats, All Core Features, No Strings Attached

Try Free Today

Learn More About Our Core Features

For PDF guides, technical specifications, and detailed feature breakdowns visit our Documentation Center

Run As Admin

Elevate individual applications, not entire user sessions.

Users can run a single application with elevated privileges, without gaining system-wide admin rights. Only that specific process has administrator rights, not the user.

Perfect for everyday tasks like installing approved software or running trusted tools. The session lasts only for the duration of the install and applies only to that particular application.

  • Requires approval from IT before elevation
  • Requires a reason for audit logging
  • Pre-approve trusted applications to eliminate friction
  • Block specific applications from ever being elevated

See Run As Admin documentation.

Admin Session

Time-bound system-wide access for complex tasks.

For tasks that require broader permissions, like installing drivers or changing system settings, users can request a protected administrator session. They become temporary members of the local administrators group for a configurable period (default 15 minutes).

Even with full access, users cannot uninstall Admin By Request or modify user accounts. All activity during the session is fully audited, including the reason provided, anything installed, and any applications executed.

Any files downloaded are run through 37+ anti-malware engines before running on the endpoint, made possible through integration with OPSWAT’s MetaDefender Cloud API.

Sessions automatically terminate when the timer expires or the user logs out, whichever comes first. See Admin Session documentation.

PIN Code

Admin By Request provides two PIN Code functions to handle situations where standard workflows aren’t available.

For offline or out-of-scope elevation, the dual-PIN system enables users to gain administrative privileges when they can’t connect to the portal for approval. This is particularly useful when Require Approval is enabled but the endpoint has no internet connection, or when users outside the normal scope of permitted users need to perform occasional administrative tasks like printer installation. The end user generates one PIN while an IT administrator generates another from the portal. When both codes are entered together into the Admin By Request popup window, elevation is granted.

For uninstallation, IT administrators can generate a one-time PIN code from the portal that allows local removal of Admin By Request from a device. This is valuable for offline endpoints, field devices, or any situation where standard remote management tools aren’t accessible. Once generated, the PIN works only once, maintaining security while providing flexibility for device management outside the network.

Application Pre-approval

Bypass approval workflows for trusted applications without granting full admin rights.

Some legacy tools or department-specific software need to regularly run elevated. Rather than processing repetitive approval requests for the same trusted programs, or giving users permanent local admin access, you can pre-approve specific applications. Users can then run these programs with elevated privileges automatically, without gaining full system-wide admin rights or waiting for IT approval.

Pre-approval works globally or can be scoped to specific groups through sub settings. For example, if your engineering department needs a specialized tool, you can add it to the engineering sub setting’s pre-approved list. Only that department will be able to auto-elevate the application, while it remains restricted for everyone else. This granular, controlled whitelisting eliminates the workflow burden for routine, trusted applications while maintaining security boundaries across different user groups and departments.

Application Blocking

Prevent unauthorized or malicious software from running with elevated privileges.

Not every application should be allowed to run with administrative rights. Application blocking lets you specify programs that users cannot execute with elevated privileges, protecting your environment from known malicious software, unauthorized tools, or risky applications. You can block based on file name, checksum, vendor, or file location.

For maximum security, blocking by checksum or vendor is recommended. Blocking solely by file name is strongly discouraged because users can easily bypass it by renaming the file. By using more robust identifiers like checksums (which verify the exact file contents) or vendor certificates, you ensure that blocked applications stay blocked regardless of how they’re renamed or where they’re stored.

Keep dangerous or policy-violating software locked down, even when users attempt to circumvent restrictions.

AI Auto-Approval

Intelligent automation for common applications based on popularity and trust scores.

Admin By Request analyzes elevation requests across its customer base to identify which applications are commonly run with elevated privileges. Each application receives two scores between 0 and 100%, measuring both the application’s popularity and its vendor’s reputation. Well-known applications from reputable vendors like Microsoft Office score at the higher end of the scale, while rarely used software from unknown vendors receives low scores.

Organizations set their own threshold score, based on their individual risk tolerance. Any application meeting or exceeding that threshold gets automatically approved by the AI engine. Very low scores (0-1) flag  applications from unknown vendors that carry higher risk and should be reviewed manually on a case-by-case basis.

The result is reduced approval burden on IT teams without compromising security. See AI Approval documentation.

Machine Learning

Build your pre-approved list automatically based on IT approval patterns.

When an IT administrator approves an elevation request, they’re signaling that the application is safe to run. If the same application gets approved multiple times, it’s a clear indication that it belongs on your pre-approved list. Machine Learning Auto-Approval recognizes this pattern and automates the process.

You set a threshold for how many times an application needs to be manually approved before the system adds it to the auto-approved list. Once an application reaches that number, it’s automatically approved for all future requests. This approach builds your pre-approved list organically as your employees use software in their daily work, eliminating repetitive approval tasks for IT while ensuring only vetted applications make the cut.

The system learns from your actual approval decisions rather than requiring you to anticipate every application your organization might need. See Machine Learning Documentation.

IdP Integration

Admin By Request integrates with major identity providers to simplify portal access and policy management.

Single sign-on (SSO) is supported for all common identity providers, either directly or through generic SAML 2.0, including ADFS and Azure AD. This eliminates separate credentials for the Admin By Request portal and leverages your existing authentication infrastructure.

Beyond SSO, identity provider connectors pull group information from Entra ID (formerly Azure AD), Google Identity, JumpCloud, and Okta to power Sub-Settings. These connectors retrieve your existing user and device groups, allowing you to apply different privilege policies to specific departments, teams, or organizational units without recreating group structures. For Azure AD environments, provisioning support automatically syncs user identities and access changes from your IdP to the Admin By Request portal during each provisioning cycle, keeping user management centralized in your identity platform. Visit The Integration Hub.

Clean Up Local Admins

Automatic removal of unnecessary administrative privileges.

Admin By Request automatically downgrades users from Admin to Standard User when they log on, eliminating the need to manually manage local administrator accounts across your endpoints. This ensures that users maintain standard permissions unless they explicitly request elevated access for specific tasks.

Administrators can exclude specific accounts from revocation when necessary, maintaining flexibility for service accounts or other exceptions. Tamper-prevention mechanisms prevent users from reinstating their own admin rights during active sessions.

When users need temporary elevated access, they can request it through Just-In-Time features like “Run As Admin” for individual applications or “Admin Session” for broader system access. See Clean-up Local Admins documentation. See Clean-up Local Admins Documentation.

Unattended Access Discovery Module

Automatic discovery of network-connected devices.

The Discovery Module automatically scans your network to identify all connected endpoints and reports findings back to the portal about devices responding on standard remote access ports (RDP on 3389, SSH on 22, and VNC on 5900/5901). This enables IT administrators to discover and connect to agent-less devices like routers, firewalls, and other network infrastructure that wouldn’t otherwise appear in your inventory.

By providing visibility into all remotely accessible devices across your network, the Discovery Module eliminates manual asset tracking and ensures no endpoints slip through security oversight. When deployed as part of an on-premise gateway setup, it integrates seamlessly with your existing infrastructure while maintaining full control over network scanning and device access.

Break glass/LAPS

One-time local admin accounts when everything else fails.

Domain trust broken? Need to grant a consultant temporary server access? Break Glass provisions secure, temporary local administrator accounts for emergency situations.

Unlike Microsoft LAPS, credentials are randomly generated, stored encrypted (never in plain text), and work only once. Accounts must be used within one hour and expire automatically. For Windows 8.4+, accounts take effect instantly with no reboot required.

This is emergency access done right: secure, auditable, and impossible to extend or reuse. See Break Glass/LAPS Documentation.

Device Owner

Restrict administrative access to designated device users.

The Device Owner feature allows you to lock down elevation privileges to a single user. The first non-administrator to log on to a device automatically becomes the Device Owner, with their identity tracked in your inventory and reports for centralized visibility.

Once assigned, you can restrict “Run As Admin” and “Admin Session” to only the Device Owner, preventing other users from gaining elevated access. This is especially valuable with lenient elevation policies, ensuring only the primary user can request administrative rights.

Administrators can view, reassign, or release device ownership as needed, putting complete control in your hands to balance security with productivity. See Device Owner Documentation.

Just-in-Time Elevation

Privileges granted only when needed, minimizing attack windows.

Rather than allowing users to maintain constant administrative rights, Admin By Request grants elevated privileges only when users actually need them. Users can request elevation for a single application through “Run As Admin,” which sandboxes elevated permissions to just that process, or request a protected “Admin Session” for broader system-wide access when tasks require wider permissions.

Both elevation methods are time-bound and fully audited, so you see in detail who requested access, why they needed it, and what they did while elevated. Sessions automatically terminate when the timer expires or the user logs out. This approach dramatically reduces the attack window by ensuring users spend minimal time with elevated rights, significantly decreasing the risk of account compromise or lateral movement by attackers.

Malware Scanning

Real-time protection against malware before elevated execution.

Whenever a user attempts to run a file with administrative privileges, Admin By Request automatically scans it using OPSWAT’s MetaDefender service, which employs 30+ commercial antivirus and anti-malware engines. This multi-engine approach delivers over 99% detection rates for known threats and catches zero-day exploits that individual antivirus products miss.

The checksum-based lookup happens instantly against MetaDefender’s global database of 40+ billion file signatures, and takes less than 0.1 seconds with no performance impact. Malicious files are blocked immediately before execution. Unknown files can optionally be sent for cloud scanning.

This transparent protection lets you confidently allow elevation requests without requiring individual approval, knowing malware scanning is automatic and always active. See Malware Scanning documentation.

Tamper Prevention

Multi-layered protection against unauthorized modifications.

During administrative sessions, Admin By Request continuously monitors all important system files to prevent unauthorized changes. Users cannot add, modify, or delete user accounts, nor can they uninstall Admin By Request itself. Attempts to alter protected files are immediately blocked, restored to their original state, and logged for audit review.

The system also detects clock changes and immediately terminates the session if tampering is detected, preventing users from extending their elevated access beyond the configured time limit. These layered protections ensure that even when users have elevated privileges, they cannot compromise the security infrastructure or extend their access without detection, maintaining control and visibility at all times.

Admin By Request blog post on access control for hybrid teams
Remote Support

Secure, just-in-time remote assistance for distributed teams.

Remote Support enables IT administrators and end users to initiate secure remote sessions for troubleshooting and support without requiring traditional VPN or RDP access. Sessions are established through secure Cloudflare Tunnels and just-in-time VNC servers, providing immediate assistance to remote and hybrid workers while maintaining security controls.

Both admin-initiated and user-initiated support requests create audited records of who accessed what and when. Session recording captures the entire interaction for compliance verification and quality assurance. For remote workforces, this eliminates delays in getting support while ensuring that all support activity is logged and can be reviewed. The ability to set maximum session durations prevents support sessions from running indefinitely, maintaining control over remote access.

Screen Sharing and Control

Enable productivity without compromising security.

Admin By Request Remote Support includes screen sharing and remote control capabilities, allowing support staff to see what users are experiencing and take control when necessary to resolve issues quickly. A “View Only” option lets administrators observe without controlling, useful for sensitive environments or when users prefer to retain control.

Either party can hide the screen from the remote person, giving users privacy control during support sessions. Screen recording is automatic, creating an audit trail of all support activities for compliance frameworks like SOC 2 and HIPAA. MFA can be required for portal users initiating sessions, ensuring only authorized personnel can connect. These controls allow you to provide efficient support to distributed teams without sacrificing security or audit visibility.

Multi-Monitor Support

Full visibility across complex remote environments.

For users with multiple monitors, Remote Support clearly displays which monitor is being viewed and allows easy switching between them. This eliminates confusion during remote troubleshooting and ensures support staff can fully understand the user’s environment and resolve issues more efficiently.

For hybrid workforces with varying setups, multi-monitor support reduces support call duration and improves first-contact resolution rates. Users don’t need to describe which screen they’re working on, and support staff can quickly navigate the entire desktop environment.

This combination of visibility and functionality means faster issue resolution without requiring the user to spend time explaining their setup.

Controlled Vendor Access

Secure third-party access without sacrificing control.

Vendor Access allows external users to access internal devices through a web browser without installing additional software, using the same secure infrastructure as other Admin By Request remote access features. Access is controlled through Portal User Logins where administrators define scopes to limit what resources vendors can access, including specific computer types, OUs, groups, or domains.

Vendors access resources through a dedicated portal (access.work) with SSO required for enhanced security. All vendor sessions are fully audited and can be recorded for compliance verification. A “Limit to access.work” setting prevents vendor users from accessing your main Admin Portal. This controlled approach allows you to work securely with third-party vendors and consultants while maintaining complete visibility and control over what they can access and ensuring compliance requirements are met.

Full Audit Logging

Complete visibility into all privileged access and activity.

Every administrative action is recorded in a centralized audit log with full details including user identity, device, what was executed, session duration, and more. This applies equally to endpoint privilege management actions like application elevations and admin sessions, as well as secure remote access sessions for both IT support and vendor access.

A unified audit log across both capabilities provides comprehensive visibility into who did what and when across your entire infrastructure. This is essential for compliance frameworks like SOC 2, HIPAA, and PCI-DSS, which require proof of access controls and activity monitoring. Detailed audit trails enable rapid incident investigation, ensure accountability, and provide the documentation needed for compliance audits and incident response.

Session Recording

Replay remote sessions for security and compliance verification.

Admin By Request automatically records video of all Remote Support and Vendor Access sessions, allowing administrators to replay sessions for training, quality assurance, and security verification. This is particularly valuable for remote and hybrid workforces where visual confirmation of remote work activity strengthens security posture.

Recorded sessions are stored securely and linked to your audit log, creating a complete record of who accessed what resources and exactly what they did. Many compliance standards require this level of documentation, making session recording an invaluable tool for meeting regulatory requirements while maintaining visibility over distributed teams.

MFA/SSO Endpoint Enforcement

Multi-layered authentication across all privileged access.

Admin By Request can require multi-factor authentication for administrators accessing the portal, requesting privilege elevation, and initiating remote sessions. SSO integration can be mandated for users accessing remote resources and for elevation requests. These authentication layers protect against unauthorized access even if credentials are compromised.

For distributed teams, MFA and SSO provide secure access from anywhere while simplifying credential management across your organization. They apply consistently to both endpoint privilege management and secure remote access, ensuring that only verified users can perform administrative actions or access sensitive resources. They’re also standard requirements for compliance frameworks and security policies. See MFA documentation.

Reason Tracking

Documentation of why administrative access was needed.

When users request administrative elevation or remote access, they can be required to provide a reason for their request. These reasons are captured and stored in the audit log, creating a complete record of not just what was done, but why it was necessary.

Reason tracking ensures accountability across your entire privileged access infrastructure and provides context for investigating unusual activity. It supports compliance by documenting the business justification for privileged access, demonstrating that both elevation requests and remote access follow proper authorization procedures.

For teams where direct oversight isn’t possible, this creates transparency and accountability.

Code of Conduct

Customizable notification of monitoring and security policies.

Before granting administrative access, whether through endpoint privilege management or secure remote access, Admin By Request displays a customizable Code of Conduct page. This explains your organization’s security policies, monitoring practices, and acceptable use expectations, setting clear expectations with users and ensuring they understand their actions are being audited.

The Code of Conduct applies consistently across all privileged access scenarios, from local admin sessions to remote support sessions. For remote and hybrid teams, it provides transparent communication about monitoring without requiring in-person discussions, helping ensure compliance with company policies across geographically distributed workforces. It also supports legal compliance by documenting user acknowledgment of monitoring practices.

Ready To Make Compliance Simple?

Try our free plan with all core features and 25 Seats, or book a free 30-minute demo with one of our experts

Free Plan
Book a Demo

Security Without Compromise

Free Plan

What You’ll Get

All core features

25 Endpoint Privilege Management Seats

25 Secure Remote Access Seats

Lifetime Free
Download
Unattended Access

‘All You Can Eat’ Features

No confusing pricing tiers

No hidden fees, paid add-ons, or modules

No. of seats + term length = price

ALL features and support included in Enterprise plan

Price on Request
Get a Quote
Vendor Access

What You’ll Get

All core features

Scalable Endpoint Privilege Management seats (50+)

Scalable Secure Remote Access seats (50+)

Full support and training

Time-limited access grants

Price on Request
Get a Quote

Learn more about our pricing