Let’s learn how to configure Multiple Admin Approvals MAA in Intune for Apps and Scripts. Multiple administrative approval capability enables you to use Intune access policies to require that a second admin account be used to approve a change before the change is applied.
The Intune Multi Admin approval process is a more secure way to deploy applications and policies. This helps to avoid any accidental deployments. This means that any changes won’t be applied until a member of the approver’s group reviews the suggested change and provides approval.
Starting with Intune Service Release 2211, Multiple administrative approval were released in the Public preview and moved to generally available in August 2023. You can use Intune access policies to require that a second Administrator Approval account be used to approve a change before the change is applied. This capability is known as multiple Administrator Approval (MAA).
You create an access policy to protect a type of resource, like App deployments. Each access policy also includes a group of users who are approvers of the changes protected by the policy.
Approvers can also reject requests, and both the individual requesting a change and the approver can provide notes about the change, or why it was approved or rejected.
- Deploy New Microsoft Store Apps Type From Intune With Winget
- Intune Support For Endpoint Privilege Management
Prerequisites for Access Policies and Approvers
To create an access policy, your account must be assigned the Intune Service Administrator or Azure Global Administrator role. An account must be in the group assigned to the access policy for a specific resource type to be an approver.
Create Access Policy for Multi Admin Approval
Access policies allow you to control which tasks and actions need approval, along with the specific approval groups.
To create an access policy, in the Microsoft Intune admin center, go to Tenant administration > Multi Admin Administration > Access policies and select Create.
On the Basics page, provide a Name and Description for the policy, and for profile type select from available options either Apps or Scripts. Each policy supports a single profile type. Click on Next.
Access policies are supported for the following resources:
- Apps – Applies to app deployments, but doesn’t apply to app protection policies.
- Scripts – Applies to deploying scripts to devices that run macOS or Windows.
On the Approvers page, select Add groups and then select a group as the group of approvers for this policy. More complex configurations that exclude groups aren’t supported. Click on Next.
On the Review + Create page, review, and then save your changes. After Intune applies this policy, configurations for the protected profile type will require multiple admin approvals.
A notification will appear showing Multi Admin Approvals successfully created. You can also click on the Notifications icon to get the status.
To submit a request when Multi Admin Approval MAA is enabled, use your normal process to create or edit a resource.
Important – When there’s a request for the same object already pending approval, you won’t be able to submit your request. Intune displays a message to alert you to this situation.
For Example, I am modifying the existing Win32 App. In Intune Admin Portal, Select Apps > Windows. Select the existing Win32 application from the list. In the Requirements section, click Edit to choose app requirements.
On the final page, before you can save your changes, add details to the Business justification field and submit the request. Consider reaching out to a known list of approvers for urgent requests to ensure your request is seen promptly.
The requester will notice the following message “Before this resource can be updated, it must be approved by another admin. Before you can submit this request, you must enter your business justification.”
A notification will appear showing the Change request submitted. That indicates your change request to edit the app has been successfully submitted for approval. You can also click on the Notifications icon to get the status.
To find your requests, in the Microsoft Intune admin center. Navigate to Tenant administration > Multi Admin Administration > My requests.
Note – If required, you can cancel a request before it’s approved by selecting it from the My requests page, and then selecting Cancel request.
To find approval requests, in the Microsoft Intune admin center go to Tenant administration > Multi Admin Administration > Received requests.
Select the Business justification link for a request to open the review page where you can learn more about the request, and manage approval or rejection.
After reviewing the details, enter relevant details in the Approver notes field, and then select Approve request or Reject request.
After you approve a request, A notification will appear showing the Approval request successfully approved. That indicates the change request has been approved.
Intune processes the change and updates the status to completed after it’s successfully applied. The request status might change to Approved for a limited time if the update to the resource takes time to process.
The following status conditions are available for a request:
- Needs approval – This request is pending action by an approver.
- Approved – This request is being processed by Intune.
- Completed – This request has been successfully applied.
- Rejected – This request was rejected by an approver.
- Canceled – This request was canceled by the admin who submitted i
Once the Admin approves the change, The requester will experience it. A notification will appear automatically in the top right-hand corner with a message. Here you can see, Application “7-Zip 22.01” saved successfully.
About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.