Ask AI
All Categories
Product Information
Getting Started: Technician Elevation

Getting Started: Technician Elevation

Last updated on October 7, 2025

Technician Elevation allows privileged actions on domain-joined endpoints without sharing a common admin password. Technicians authenticate with their personal Evo credentials and are then granted access to the endpoint via either a designated shared admin accounts or a “just-in-time” local admin account created just for them.

For example, imagine that you are an MSP with a client using an on-premise directory. Historically, technicians have logged in with a shared domain admin account such as “SuperAdmin.”

With Technician Elevation, techs no longer need the password to that account. They sign in with their personal Evo credentials and are seamlessly granted authority to act as “SuperAdmin” without needing a shared password and with an audit trail back to the individual that was logged in.

Evo Portal Setup

These instructions assume that you already have access to your Evo Partner Portal and have completed the basic steps to setup your MSP with Evo.

If not, head over to our MSP Onboarding Guide and compete the steps there first!

Directories

Connect Your Customer Directories

In order to setup Technician Elevation for your techs, the third-party directory where those users exist needs to be synced to Evo. You can setup Directories in bulk for all of your customers, or you can do it one-by-one as you test and deploy Evo Technician Elevation to your customers.

Refer to our Directory Integration articles to complete that process.

Select or Create Account for Elevation

When technicians execute an elevated login, they have to ultimately be logged into a privileged account within the target environment - either a domain account, a local account on the workstation, or a just-in-time local account created by Evo only as it is needed.

The base process here describes how to use a brand-new domain account as that target account, but you can choose whatever works best for your situation.

  1. Create a new domain account with the appropriate level of administrator permissions that you would like your technicians to have after elevating. Ensure that account has synced to Evo.
  1. Navigate to Vault > Domain Accounts and click New.
  1. Set the type to “Select from Synced Directory” and pick the relevant Directory.
  1. Pick the user account that you just created from the list and set the password rotation timing to your preferred security policy. Then click Save.
    1. Note: Evo will “own” this account and automatically rotate the password. The current password is always available in the Vault, but the idea is that your technicians should not use it directly. They will be transparently logged into this account after entering their own Evo credentials on the endpoint.

Licenses, Groups & Roles

Assign Technician Elevation Licenses

Note: Refer to our full article on managing user licenses for fuller details of how to manage Evo licenses.

This process assumes that you have already created a Tenant, setup a Directory for that Tenant, and synced users into Evo.

  1. Verify that the expected users have synced over by navigating to Evo Admin > Tenants.
    1. Note: If users don't show up make sure they don't exist in a different tenant already.
Notion image
Notion image
  1. Once you have verified that the users are synced, we need to assign Technician Elevation licenses to the correct tenant. Go to Evo Admin > Licensing & Billing, select your tenant at the bottom by clicking the > icon on the right side, and ensure that Technician Elevation licenses are assigned to the Tenant’s pool.
    1. Note: Evo licenses are pooled and a given tenant needs to have sufficient licenses in its “pool” to support the Technician Elevation users in it. Refer to our Licensing & Billing article for additional details.
Notion image
Notion image
  1. Now that your licenses are part of the tenant, you can assign them to users. Select the user by clicking on the checkbox next to their name and select the Assign Licenses option that shows up on the bottom of the screen.
Notion image

Configure Elevated Assignments, Permissions, and Tenant Access

Users are granted the ability to use Technician Elevation by:

  1. Being in an appropriately scoped Technician Elevated Assignment
  1. Having the correct Evo permissions to use Technician Elevation
  1. Having the correct Tenant Access permissions to access the necessary tenants

Setup Elevated Assignment

  1. If you don’t already have a group created for the set of users that you want to grant Tech Elevation permissions to, create it in Identities > Groups first.
  1. Then, navigate to Evo Admin > Permissions
  1. On the Permissions screen, click Elevated Assignment.
      2. Notion image
  1. With the Elevated Assignment tab selected, click Create Assignment.
      2. Notion image
  1. Give your Assignment a name and description.
  1. Select the Users and/or Groups that should be attached to this Assignment.
  1. Select which Domain Accounts this Assignment should have access to as the accounts underlying the elevated access (i.e., the accounts which elevated users will use under the covers when they do an elevated login.)
  1. Click Save.

Assignments can also be edited and deleted from the Permissions > Elevated Assignment tab.

Configure Permissions

Users of Technician Elevation (and anyone else who will be managing Evo functionality) will need a Role assigned to dictate what can be accessed.

  1. Go to Evo Admin > Permissions and on the Roles tab, create a New Role.
Notion image
  1. Assign the necessary permissions for Technician Elevation to the new Role.
    1. Note: If you are setting up Evo for the first time, you will likely want to setup several Roles. For example, one Role for full Evo administrators who should have all permissions and then a second for technicians who will use Technician Elevation but who shouldn’t be able to do more highly privileged management actions in Evo. A more detailed breakdown is available in this article on Roles & Permissions.
  1. Assign Technician Elevation users to the newly created Role.

Configure Tenant Access

Users of Technician Elevation will also need Tenant Access to the tenants in which they will perform elevations.

  1. From Evo Admin > Permissions, select the Tenant Access tab.
Notion image
  1. Select the relevant Tenant by clicking on the pencil icon on the right.
Notion image
  1. Select all groups and/or users that you would like to have access to the Tenant and click Save.
    1. Note: For any Evo user with the “Admin” ability to login to the Partner Portal, this Tenant Access grant will also allow them to see that Tenant in the Partner Portal and take actions for which they have appropriate permissions.

Endpoint Deployment

Deploy Agents

The Evo Endpoint Agent needs to be deployed to each endpoint on which Technician Elevation will be available as it facilitates the authentication of an Evo user into an administrator account on the target machine.

Refer to our Windows Agent Deployment article to complete that process.

Remove or Demote Old Admin Accounts

Once Technician Elevation has been fully deployed, you may find that a number of legacy Local Administrator accounts are no longer needed. These accounts can now be deleted or demoted directly from the Evo Portal.

To manage them, navigate to Vault → Local Accounts, select the accounts you wish to delete or demote, and then schedule the corresponding Deletion or Demotion action.

 
Notion image
 
Did this answer your question?
😞
😐
🤩
Setting up SAML with Domotz Technician Elevation: Extended User Access Control session