Getting started with multiple administrative approvals

This week is all about a nice new feature of Microsoft Intune. That new feature is multiple administrative approval (MAA). MAA enables organizations to require a second administrative user to approve a change before the change is actually applied. That limits the chance of accidental mistakes and even helps with the protection against compromised administrative accounts. With MAA, the most breaking and impactful changes can be protected. At this moment that includes specific resources, like apps and scripts. Changes to those resources can protected with MAA. That protection can be created by using Access policies. Access policies can be configured to protect specific resources with MAA. This post will go through the steps to configure those policies, followed with the behavior that those policies introduce. That includes submitting and approving approval requests.

Note: At the moment of writing, MAA only supports the protection of all apps and scripts resource types.

Creating an access policy

When looking at protecting specific resource types with MAA, it all starts with Access policies. Access policies are used to specify the resource types that are protected and the Azure AD security group that contains the administrative users for the additional approval. After configuring such policy, any account that is used to make changes to a protected resource will require an explicit approval from a different administrative account. The following six steps walk through the creation of an Access policy that is used to protect scripts. Similar steps can be used to protect apps.

  1. Open Microsoft Endpoint Manager admin center navigate to Tenant administration Multi Admin Approval
  2. On the Tenant admin | Multi Admin Approval page, select Access policies
  3. On the Access policies tab, click Create
  4. On the Basics page, as shown below in Figure 1, provide the following information and click Create
  • Name: Provide a name for the policy to distinguish it from other similar policies
  • Description: (Optional) Provide a description for the policy to further differentiate policies
  • Profile type: Select Scripts to apply this policy only to scripts
  1. On the Approvers page, as shown below in Figure 2, select the Azure AD security group that contains the administrative accounts of the approvers and click Next
  1. On the Review + create page, review the configuration and click Create

Note: To apply MAA to different object types, at this moment only apps, simply adjust the profile type to Apps.

Submitting a new request

After creating an Access policy for Scripts, every change to a PowerShell script in Microsoft Intune will require the approval of an additional administrator. That includes changes to PowerShell scripts in the Script section and in the Proactive remediations section. Besides that, it includes adding new PowerShell scripts and adjusting existing PowerShell scripts. So, basically every action on scripts and script packages, require MAA. When the Access policy was for Apps, the idea would be similar for all apps. The following five steps walk through adjusting an existing script package and requesting approval.

  1. Open Microsoft Endpoint Manager admin center navigate to Reports > Endpoint analytics > Proactive remediations
  2. On the Endpoint analytics | Proactive remediations page, select an existing script package that needs adjustments
  3. On the Overview page, navigate to Properties > Settings and click on Edit
  4. On the Settings page, as shown below in Figure 3, make the required adjustments and click Next
  1. On the Review + save page, provide the Business justification and click Save

Important: Before the same object can be updated again, the previous change must have been approved.

Note: MAA will be required for every adjustment to the script package (Basics, Settings, Scope tags, and Assignments).

Approving a request

After creating a new approval request, the request must be approved by a different administrative user. The good thing is that the approval request contains all the information about the changes to the adjusted resource. Even with actual script adjustments, an overview about the changes is shown with an actual comparison. The following four simple steps walk through the process of approving a request of an other administrative user.

  1. Open Microsoft Endpoint Manager admin center navigate to Tenant administration Multi Admin Approval
  2. On the Tenant admin | Multi Admin Approval page, select Received requests
  3. On the Received requests tab, select a request that needs approval
  4. On the new blade, as shown below in Figure 4, provide the Approver notes and click Approve request

Note: To reject the request, simply perform the same steps but instead click Reject request.

Managing approval requests

After creating a new approval request, the administrative user that created the request can also manage their own request. No approval of course, but the ability to cancel the approval request. The following four simple steps walk through the process of cancelling an earlier created approval request of the administrative user itself.

  1. Open Microsoft Endpoint Manager admin center navigate to Tenant administration Multi Admin Approval
  2. On the Tenant admin | Multi Admin Approval page, select My requests
  3. On the My requests tab, as shown below in Figure 5, select the just created request
  1. On the new blade, click Cancel request

More information

For more information about multiple administrative approvals, refer to the following docs.

1 thought on “Getting started with multiple administrative approvals”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.