Cloud services like Microsoft Intune are built on the very principle of flexibility and agility in responding to customer needs, and as such, we see iterative improvements being made to the service with every service release, month-on-month, week after week.
As an Intune IT pro, I may not be wrong in saying that with all the exciting developments and improvements that we get to see, sometimes it can become too overwhelming to keep a tab of all the new features, improvements, and changes that get introduced.
Hey, am ain’t complaining. Keep them coming Microsoft!
The week of November 28, 2022 saw the rollout of two new features for Intune.
- The new Microsoft Store app type was implemented using the Windows Package Manager (Winget).
- Access policies for multiple Administrator Approval (public preview).
Now due to the rollout cadence that Microsoft follows in updating the tenants globally, it’s usual that some get to see the new features popping up on their tenants faster than the rest.
The new features, as above, popped up in my test tenant last week only. And as I have had nothing to do over this weekend, for me, there was no better way in spending the time than to utilize it to check them out.
So here I’m today with this blog post to share with you my thoughts on the Multi Admin Approval (MAA) feature in Intune.
Table of Contents
What is Multi Admin Approval in Intune?
As the name suggests, Multi Admin Approval is a change management approval workflow that introduces approval from a second Administrator account for executing a particular task in Intune.
The feature is currently in public preview, and in its current iteration, only supports protecting the following resources
- Apps – This applies to app deployments [Not app protection policies!]
- Scripts – This applies to deploying scripts to devices that run macOS or Windows.
Multiple Admin Approval (MAA) allows you to configure access policies in Intune to help protect the above-mentioned resource types in the environment from any changes being made, by requiring approval from a different account (specified in the access policy) than the initiator account, thus helping to prevent against accidental or changes being made with malicious intent.
For example, let's consider that I have set up a Multiple Admin Approval access policy in Intune to protect the resource type Scripts in my environment allowing only members of a particular group to act as the approvers' group for the access policy. I also have RBAC roles set up for task delegation, and in that way, I have an RBAC role assigned to an account that allows the account to perform tasks with the Scripts resource type, and the account gets compromised. Now say the account wants to create a new Script in Intune and deploy it to a group of devices, or, make changes to any existing script deployment, or, maybe delete an existing script deployment for its own benefit. Without multiple Admin approval, the RBAC role assigned to the initiator account is enough for Intune to allow the action to get completed. But with MAA workflow, the action as initiated by the account will not be allowed to complete even if the initiator account has been assigned with the necessary RBAC permissions. Instead, the action will be subjected to an approval workflow and any member of the approvers' group as specified in the access policy will need to explicitly approve the action in order for the action to get completed. This helps to avoid any accidental/intentional changes being made to new or existing deployments.
Creating a Multi Admin Approval Access Policy in Intune
To create an access policy in Intune, you will need an account that has either the Intune Service Administrator role or the Global Administrator role assigned to it.
For the approver, the account just needs to be a member of the approvers’ group as specified in the access policy.
In the Microsoft Endpoint Manager admin center, navigate to Tenant administration > Multi Admin Approval and go to the Access policies tab from where you get the option to Create a Multi Admin Approval access policy.
You need to provide a Name and Description (optional) for the access policy you are creating and select the resource type, Apps or Scripts, that this access policy is intended to protect.
Next, you will need to specify a group, all members of which will get the approver status and thus will be able to either approve or reject approval requests that get generated because of this access policy.
At the end, all you need to do is hit the Create button to create the access policy in the environment.
As usual, the policy that you just created will get listed in the portal UI.
Experience with multiple Admin Approval workflow
To test multiple Admin Approval, I signed in to my Intune test tenant with an account that has the Intune RBAC role Application Manager assigned to it and tried making a change in the deployment of an existing Windows app.
As you can see, the multiple Admin Approval workflow kicked in when I tried to save the changes made to the app assignment.
So once I provide the business justification and click on Save, Intune service will not commit the actual assignment change yet. Instead, an approval request gets submitted for the action.
At the time of writing this, multi Admin Approval is a feature in public preview and at this stage, Intune doesn’t send notifications to the approvers when new requests are created, or to the requestor when the status of an existing request changes.
Still signed in with the account that initiated the action resulting in the approval submission, I can navigate to Tenant administration > Multi Admin Approval and then go to the My requests tab to see all the approval requests generated for/by that account.
And obviously, the initiator/requestor does have the option to self-cancel the submitted approval request before it has been actioned upon by any approver.
This is particularly helpful if the initiator/requestor knows the action got performed due to a mistake.
For the approver, all they would need to do is visit the Tenant administration > Multi Admin Approval and then go to the Received requests tab where all the received approval requests will be listed.
The column Status shows the state of a request:
- Needs approval – This request is pending action by an approver.
- Approved – This request is being processed by Intune.
- Completed – This request has been successfully applied.
- Rejected – This request was rejected by an approver.
- Canceled – This request was canceled by the admin who submitted it.
For a request that is in the Needs approval state, the approver can open the request and review it, post which, can either decide to approve or reject the request. The approver is required to provide approver notes.
If approved, the status of the requested item will change to Completed. If rejected, the status will show as Rejected.
For a Reject, the initiator/requestor can open the requested item from Tenant administration > Multi Admin Approval and then go to the My requests tab, open the request with the Reject status to see the Approver notes to see the reject reason.
Things to keep in mind about Multi Admin Approval in Intune
- You cannot create a new approval request for an object when it already has another approval request in the pending approval state.
- If the account initiating the approval request is also a member of the approver group as specified in the access policy, then that same account cannot be used for approving the request.
- The approval workflow presents the approver with a JSON view of the change request being made and it may be hard for some to interpret. A more simple presentation of the change would have been nice.
- As an initiator, though you can choose to cancel a submitted request, you cannot remove/delete the request from the list under the My requests tab. Also, the request made will be visible to the approvers, though no action is required from them.
- Actions for requests and the approval process are logged in the Intune audit logs.
- If a request is not processed within 30 days, the status changes to Expired and requires a new request to be submitted.
While testing, I actually got to see the behavior that approval requests submitted but not actioned within 30 mins are getting Expired. As such have asked the Intune Support Team over Twitter for clarification. Will update here as I get to hear back more from them.
The End
For now, though it is limited to protecting only resource type Apps and Scripts, in the future when other resource types also get added under the purview of Multi Admin Approval, it can be a really great tool to help prevent accidental/intentional malicious changes being made in the environment.