Microsoft Intune Multi-Admin Approval

Picture of David Bergquist
David Bergquist

Senior Cloud Solutions Architect

Microsoft Intune is a cloud-based device management service that allows you to manage and secure your organization’s devices, apps, and data. As an Intune Administrator, you can configure Microsoft Intune settings, such as creating policies, applications, compliance, and assigning roles. However, some of these changes may have a significant impact on your organization’s security and productivity and may require approval from multiple admins before they can be applied.  

Multi-Admin Approval is a feature in Intune that institutes an approval process requiring one or more admins to consent before changes are made. This feature can help you to prevent unauthorized or accidental changes and maintain an audit trail of changes and approvals. Multi-Admin approval is available for the following Intune service settings: 

  • Applications 
  • Scripts 
 

In this blog post, you will learn about the prerequisites and process for enabling multi-admin approval in Intune, along with sharing my experiences from both an administrator and approver perspective.  

  

Prerequisites

Before you can enable multi-admin approval in Intune, you need to meet the following prerequisites: 

  • You must have an Entra ID Premium P1 or P2 license for each admin who will participate in the approval process. 
  • At least two (2) administrator accounts must be configured in the tenant. 
  • You must be assigned the Intune Administrator or Global Administrator role in Entra ID to create an access policy. 

Process

The process for enabling and using multi-admin approval in Microsoft Intune consists of the following steps: 

  • Plan for and create an “Intune Multi-Admin Approval” group in Entra ID that consists of Intune approvers.  
  • Create a Multi-Admin Approval Access Policy for applications and/or scripts.  
  • Create and assign a new application in Microsoft Intune. 
  • Review and approve the pending changes in the approval center. 
  • Once approved, the administrator can complete the application push request. 

Configure a Multi-Admin Approvers Group

To enable multi-admin approval in the tenant settings, follow these steps: 

  • Sign in to the Microsoft Intune admin center. 
    • Select Groups -> All Groups -> New Group, then create a new group the consists of approvers.  
    • This group will be assigned to our Multi-Admin Approvals Access Policy. 

Configure the Approval Settings

In this example, we will configure approval settings for applications: 

  • Sign in to the Microsoft Intune admin center. 
  • Select Tenant Administration -> Muti Admin Approval -> Access Policies, then create a new policy: 
    • Name: Provide a name for the policy 
    • Profile type: App 
    • Approvers: Assign the “Intune Admin Approvers Group” previous created
    • NOTE: An app policy will limit actions on an application, such as mobile apps or built-in apps. This could include create, edit, assign, and delete. 

Create and Assign a New Application in Microsoft Intune

In this step, we will create a new Windows application (using Enterprise App catalog) to show the request and approval process. NOTE: Enterprise App Management is a licensed add-on (either standalone or via Intune Suite). Additional information can be found here 

  • Sign in to the Microsoft Intune admin center. 
  • Select Apps -> By Platform -> Windows -> + Add: 
    • Select app type: Enterprise App Catalog App 
    • Click on: Search the Enterprise App Catalog 
  • Select app: Add an application. In this case, we will use Microsoft PowerBI Desktop as an example. 
  • Configuration: Highlight Microsoft PowerBI Desktop x64, then click on Select Below.  
  • Configure the rest of the application as you see fit. For example, you can configure “category,” “show the app in the company portal,” and additional “program,” “requirements,” “detection rules,” etc. In this example, we are going to use all the defaults that Microsoft has pre-built.
  • When you get to the “Review and Submit for Approval” section, you will notice the note in the “Summary” section stating, “Before this resource can be created, it must be approved by another admin. Before you can submit this request, you must enter your business justification.
  • At the bottom of this window, provide a justification and then click on “Submit for approval.”
  • You will see a notification that your change request has been submitted for approval.  

Application Approval Process in Microsoft Intune

Once the application has been submitted for approval, an approver can view the request and approve, cancel, or reject the request.  

  • As an approver, sign in to the Microsoft Intune admin center. 
  • Select Tenant Administration -> Multi-Admin Approval -> All requests
  • Here you can view/manage all multi-admin approval requests. 
  • Click on the application that is pending approval. Here you can view the app changes that have been requested, who is making the request, and the business justification. Enter “Approver Notes,” then (in this case) you can approve the request. 
  • Now, the Intune Administrator can see that their application was approved and complete the request. 
  • Until the Intune Administrator “completes” the request, the application will not show up in the Apps section of Intune. 
  • The request will now show up as completed. Go to Apps -> By Platform -> Windows
  • You will see that your application is now listed, but unassigned. 
  • Edit the application assignments and assign it to the intended group of users. 
  • This change will also have to be approved. Once approved, the application (in this case) will be pushed to the intended users.

Summary

Microsoft Intune Multi-Admin Approvals can help IT Administrators achieve the following benefits: 

  • It can prevent unauthorized or accidental changes to the app configurations and scripts that affect end users and devices. 
  • It can ensure that the app deployments and scripts are compliant with the organizational standards and best practices. 
  • It can improve the collaboration and communication among the Intune Administrators and other stakeholders involved in the app management process. 
  • It can provide an audit trail and accountability for the app approval actions and outcomes. 

We Can Help!

If you have any questions or are looking forassistancein creating aModern Endpoint Managementstrategy or deploying Microsoft Intune Multi-Admin Approvals as part of your device management solution, please reach out toinfo@eGroup-us.comor complete the form below. 

Need Assistance with Microsoft Intune?

Contact our team today to schedule a call with one of our experts.