In this article, let’s check how to enable MAA Multi Admin Approval to Create or Modify Intune Roles. Microsoft Intune now supports Multi-Admin Approval for critical role-based access control (RBAC) changes, enhancing security and governance. This new feature ensures that sensitive actions, such as assigning powerful roles like Intune Administrator or modifying scope groups, require approval from a second Intune administrator before being applied.
Multi-admin approval helps organizations reduce the risk of accidental or malicious privilege escalation by enforcing a dual-control model for high-impact changes. To configure Multi-Admin Approval, start by enabling the feature from the Microsoft Intune Admin Center. Define which role assignments require approval and specify an approver group consisting of trusted Intune administrators.
When a role assignment request is created, it enters a pending state and notifies the designated approvers. Only after an approver reviews and approves the change will the role assignment take effect. This adds a robust workflow to protect sensitive administrative tasks. This update is especially beneficial in enterprise environments where strict role delegation and auditing are critical.
Each approval request and decision is logged, offering better traceability and compliance tracking. Organizations can now strengthen their Zero Trust posture by ensuring no single administrator has unchecked control over critical configurations in Intune. With Multi-Admin Approval, Microsoft Intune takes a significant step forward in securing device management operations.
Table of Contents
Multi Admin Approval Role Types Available in Intune
Here is a table listing the Multi-Admin Approval (MAA) types available in Intune, based on the latest updates. These approval types help prevent unauthorized or accidental changes to sensitive access configurations in Intune. Admins can customize which types of actions require approval in the Multi-Admin Approval settings within the Intune Admin Center.
| Approval Type | Description |
|---|---|
| Role Assignment Approval | Requires approval before a user is assigned to a privileged Intune role. |
| Scope Tag Assignment Approval | Ensures approval when scope tags are assigned or modified for Intune resources. |
| Scope Group Assignment Approval | Requires approval when adding or changing scope groups in role assignments. |
| Privileged Role Modifications | Approval is needed when modifying roles like Intune Admin, Policy Admin, etc. |
- Configure Multiple Admin Approvals in Intune for Apps and Scripts
- Secure Remote Actions Retire Wipe and Delete with MAA Multiple Administrative Approval in Intune
- Intune Security Policy to Set Up Smart Screen Enhanced Phishing Protection
- Most Restrictive Elevation Behaviour with Intune Endpoint Privilege Management using Intune
Create an Access Policy for Multi Admin Approval for Intune Roles
To configure multi-admin approval for Intune roles, sign in to the Microsoft Intune Admin Center using your administrator credentials.
- Navigate to Tenant administration > Multi Admin Approval > Access policies
- Click on +Create
In the Basics details pane, name the access policy “Multi Admin Approval – Intune Roles” It is also helpful to provide a brief description of the policy’s purpose. Select the options below and click Next.
- Description – NA
- Policy type – Choose Role from the drop-down
- Platforms – Windows & Non-Windows only
To set up a user group for approvers, first create the group and then add the approvers as members. Click on +Add groups and select the Multi Admin – Approver Group. Members of this group will have the authority to approve requests that require more than one admin’s approval.
In the Review + Submit for approval pane, carefully review all settings for the Multi Admin Approval – Intune Roles policy. Be sure to include a valid business justification; I am entering “Multi Admin Approval – Intune Roles Policy” here. Once you have confirmed everything, select Submit for approval.
Note! Before this resource can be created, it must be approved by another admin. Before you can submit this request, you must enter your business justification.
Review the Submitted Approval
The other admin can now review and approve your submitted request. Please log in using the account of the other admin who is a member of our Multi Admin – Approver Group. Navigate to Tenant administration > Multi Admin Approval > All Requests to find the request.
Click on the “Multi Admin Approval – Intune Roles – Create” hyperlink. This will take you to a section where you can review the changes below and take the appropriate action. In the Approval notes section, add a note stating I am added as Approved, and then click on the Approve request button.
After the other Admin approves your request, you can complete it by navigating to Tenant administration > Multi Admin Approval > My requests, then clicking on Multi Admin Approval – Intune Roles – Create.
- Easy way to Create Autopatch Multi-Phase Release with Intune Feature Update Policy
- Easy way to Disable GitHub Copilot in Visual Studio using Intune
- Windows LAPS Automatic Account Management using Microsoft Intune
Once you complete the request, the status will show as Completed in My requests, and the Access Policy will be created successfully.
Intune Admin Experience
Now onwards when ever you create or modify any Intune Roles, it will ask you to submit a Muti Admin approval. Here am trying to create a custom RBAC role for Remote Help Support.
Moving forward, whenever you create or modify any Intune roles, you will be prompted to submit a Multi Admin approval. Here, I am attempting to create a custom RBAC role for Remote Help Support. In the final step, we see that it is not directly created but is pending submission for approval. Therefore, we can conclude that our access policy is functioning as expected!
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. Writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out my profile on LinkedIn.