In the previous blog post, I talked about how you can use the Access Package feature of Azure Active Directory (Azure AD) entitlement management along with the Feature Update deployment policy from Intune to let end-users opt-in for Windows 11.
But that was without any approval flows. So in this post, we will see how we can add some approval flows into the process to control who gets to run the latest OS.
So let’s get started.
Table of Contents
Pre-Requisite
- Azure AD Premium P2 license as already mentioned above.
- A blank Azure AD security group with assigned membership that will be used for the purpose of deployment.
Create Access Package in Azure AD to let end-users to opt-in for Windows 11
- Login to Azure AD portal and navigate to Azure Active Directory > Identity Governance > Access packages
- Click New access package
- On the Basics page, provide the information required to create the Access Package.
- On the Resource roles page, click Groups and Teams to add the Azure AD security group and set the Role to Member. This will make sure that the user opting-in for Windows 11 will be added as a member to the group.
- On the Requests page, choose the options that best suits the requirement. The below config as shown in the snap is to let All Users within the directory (excluding Guests) to opt-in and get Windows 11. Here we will add our Approval flow.
There are a lot of options to curate the approval process and you can read this Microsoft document to know about the settings.
- The Requestor information page is Optional and can be used to collect information and attributes from the requestors, i.e. users requesting for the access package to opt-in for Windows 11. If you do not wish to collect any information from users, simply click on Next.
- On the Lifecycle page, you can choose the expiration for the access package that is being created and also decide whether to add access reviews to the access package that will be automatically scheduled. Again for simplicity, I will keep Access package assignments expire to Never and Require access reviews to No.
- Rules (preview) page is again optional and I will not be doing anything in here but proceed to create the Access package.
- The final step, click on Create to create the Access package that will enable users to opt-in to get Windows 11.
With the Access Package created, let’s move on to the next configuration item.
Create a Feature Update policy deployment to let end-users opt-in for Windows 11
- In the MEM portal, navigate to Devices > Windows > Feature updates for Windows 10 and later
- Click on Create profile
- Give a Name for the Feature Update deployment policy, choose Windows 11 from the drop-down list of the Feature update to deploy and finally in the Rollout options, select the Make update available as soon as possible.
Note the other Rollout options now available to provide greater control to the IT. The team behind has done a wonderful job and surely deserves a mention here.
- In the Assignments page, select the security group that was used previously for the Access Package.
- Finally click on Create.
With the Access Package and the Windows 11 Feature Update deployment policy in place, let’s move on to see the end-user experience.
Opt-in for Windows 11 with Intune and Azure AD [With Approval Flows] – End-user Experience
End-user needs to visit the My Access portal that is available as part of the Azure AD entitlement management and see the Access Packages that are made available by the IT.
As you can see, I can see the Access Package that was created for the purpose of this blog. I need to click on Request.
The Request access opens a flyout pane where I need to fill in the Business justification. Further, end-user can also choose to request access for a specific period, but this is not something of any use for our purpose. Once done, all the user needs to do is click on the Submit button.
As soon as the user clicks on submit, the approval flow gets triggered to add the user to the required group.
The user can view the Access request status from the Request history section. Currently as can be seen from the snap, the access request is in the Pending approval state. Note the user also has the option to Cancel request.
The Approver (as configured) gets the access request as can be seen below and choose to Approve or Deny the request.
Provided the request gets approved by the Approver, the end-user gets notified or they can check the status from the My Access portal as usual.
Here the state Delivered means the user was added to the group as a member. The same can be reviewed from the Audit logs.
As soon as the user gets added to the group, it’s over to Intune which will then make the Windows 11 update available to the users’ eligible Windows 10 device. You can then monitor the feature update deployment, as usual, using the Feature Update report from the MEM portal.
Ending
That was all for today. Hope you will find this informative.