Skip to content
CapaSystems Docs

Session Elevation Denied

Problem

Section titled “Problem”

Session Elevation is denied in CapaOne Privilege Manager

Session elevation denied message in CapaOne Privilege Manager

Solution

Section titled “Solution”

Validate the Entra ID groups

Section titled “Validate the Entra ID groups”

  1. Ensure you are using the correct Privileges configuration, set up with the correct Entra ID groups, and validate with the correct Entra ID user.

  2. Make sure that the CapaOne Entra ID Integration is configured correctly. Integrate CapaOne with Entra ID

  3. Inspect logfile CapaOnAgent.log (The log file can be found in C:\ProgramData\CapaSystems\COA\Logs)

    1. Validation result…. (CapaOnAgent.log )
Terminal window
AzureAD\Simon is denied permission to elevate a session on client8 via the 'STH - Azure
Test' configuration. Removing the 'Start' button:
- No local security group has been configured
- AzureAD\Simon is NOT member of the AD group 'domain users'
- sth@capa.one is NOT member of the Azure group 'STH_Azure'
- sth@capa.one is NOT member of the Azure group 'Test af æøå og mellemrum'

Run the commands below in a regular PowerShell.

  1. Display current/available Azure contexts. Use this to check the contexts of the users on the device. If no or the wrong user context is shown, this might cause a problem.
Terminal window
Get-AzContext -ListAvailable
  1. Clear the current context. If the wrong user is listed, this will clear it.
Terminal window
Clear-AzContext -Scope CurrentUser -Force;
  1. Find the Current User.
Terminal window
whoami /upn
  1. Display the device state. If the device is not AzureAdJoined/EnterpriseJoined or WorkplaceJoined, it might not prompt the user for Entra ID login.
Terminal window
dsregcmd /status

dsregcmd /status output showing the device join state

  1. Check Work or School user. Open Windows settings, click Accounts on the left and then click on Access Work of School. If no user is shown, then no user is connected.

Windows Access work or school settings with no connected account

Account details for a connected work or school account

  1. Use the “Sign-in Diagnostic“ tool on your azure portal to see user sign-in events. This might give a hint as to why Privileges Entra ID validation is falling.

    1. Log in to the azure portal and select Microsoft Entra ID
    2. Click on Diagnose and solve problems in the left menu
    3. Click on the Troubleshoot text in the Sign-in Diagnostic box
    4. Click on All Sign-In Events, now search for the user who has trouble with Privileges, and look at the sign-in events

Validating with Entra ID groups when offline

Section titled “Validating with Entra ID groups when offline”

Here are three scenarios you could run into where you will use Offline Validation

  1. Entra login is down

    1. No Microsoft login will be shown; instead, it will use the WHOAMI /UPN :note: to determine the user it will use.
    2. It will still be looking up Entra ID Groups from CapaOne.

  2. CapaOne is down

    1. It will get the UPN when you log in via the Microsoft login window.
    2. It will then use the cache file to match the UPN.

  3. Entra ID login and CapaOne is down (offline)

    1. Again, no Microsoft login will be shown. Instead, it will use WHOAMI /UPN :note: to determine the user it will use.
    2. Again, it will then use the cache file to match the UPN.

This would be a potential failure if the Entra ID UPN and the Windows UPN is different. We would either request groups for the wrong UPN or lookup the wrong cache file.