Secure Your Intune Environment with Multi-Admin Approval: Everything You Need to Know

As businesses increasingly rely on remote work and mobile device management, ensuring the security of IT environments is more critical than ever. Microsoft Intune, a leading endpoint management solution, offers powerful tools to keep devices secure and compliant. Among these tools is Multi-Admin Approval (MAA), a security feature introduced in March 2023 that adds an additional layer of protection to your Intune environment by requiring multiple admin approvals for high-risk actions.

MAA is a valuable addition to Intune’s security capabilities, helping organisations prevent unauthorised changes, safeguard sensitive data, and maintain tighter control over critical administrative tasks. Whether you’re managing a small business or a large enterprise, understanding and implementing Multi-Admin Approval can significantly enhance your security posture. In this blog post, we’ll explore what Multi-Admin Approval is, how it works, its benefits, the required licences, and provide a detailed step-by-step guide to help you set it up.

What is Multi-Admin Approval in Microsoft Intune.

Multi-Admin Approval (MAA) is a security feature in Microsoft Intune designed to add an extra layer of security by requiring multiple admin approvals for specific critical actions. Essentially, MAA ensures that no single administrator can perform high-risk actions—like deploying applications or scripts —without an additional approval step from another admin. This feature significantly reduces the risk of accidental changes or malicious activity within your environment.

What Does Multi-Admin Approval Do?

Multi-Admin Approval works by setting up workflows that mandate a second admin’s approval before executing sensitive tasks. When an admin attempts to perform a restricted action, a request for approval is generated. This request must be reviewed and approved by a second, authorised admin before the action can proceed.

Key actions that typically require MAA include:

• Deploying an application
• Deploying a PowerShell script
• Deploying a remediation script

This approach enforces a checks-and-balances system, promoting accountability and ensuring critical tasks are thoroughly reviewed.

Access Policies and Resource Protection

Multi-Admin Approval protects various types of resources within Intune, such as Apps, and Scripts. The feature enforces access policies, which are designed to secure these resources by defining which actions require additional oversight. This helps organisations control administrative tasks that are deemed high-risk and ensures that sensitive configurations are not altered without proper authorisation.

Approval Process Details

The approval process involves several key steps, including the submission, review, and approval of requests. When an admin initiates a restricted action, they must provide a business justification, which is visible to the reviewing admin. Each request is tracked within the admin centre, where it can be approved, rejected, or left pending. This transparent process ensures that all changes are scrutinised and authorised properly.

Monitoring and Notifications

Monitoring the approval flow is crucial for maintaining control over administrative changes. The Microsoft Endpoint Manager admin centre allows admins to monitor all submitted, approved, and rejected requests. However, it’s important to note that Intune does not automatically send notifications for new or modified approval requests. Organisations should establish communication protocols among admins to manage approvals efficiently and avoid workflow delays.

Required Roles and Approval Flow

Implementing MAA requires configuring specific admin roles to participate in the approval process:

• Requester Role: The role responsible for initiating actions that need approval. Requesters must have the appropriate app or script permissions required to create, update, delete or deploy apps or scripts..
• Approver Role: Approvers are given the ability to approve or reject requests by being a member of an Approvers group for the apps or scripts Access Policy..

These roles can be customised based on your organisation’s structure, and workflows can be set up to define which actions require approval, who can request them, and who is authorised to approve them. Clear delegation of these roles helps maintain accountability and smooth approval flows.

Benefits of Multi-Admin Approval

1. Enhanced Security: By requiring multiple approvals, MAA reduces the likelihood of unauthorised or accidental changes, thus protecting your organisation’s data and devices.
2. Increased Accountability: MAA promotes transparency, as all requests and approvals are logged, creating a clear audit trail of administrative actions.
3. Risk Mitigation: Minimises the potential for insider threats by distributing administrative power and limiting the impact of compromised admin credentials.
4. Compliance Support: Helps organisations meet compliance requirements, such as those set by GDPR or ISO standards, which often mandate multi-factor approval processes for critical tasks.
5. Operational Control: Allows organisations to maintain tighter control over administrative tasks, ensuring only approved changes are implemented.

Required Licences for Multi-Admin Approval

To use Multi-Admin Approval in Microsoft Intune, your organisation must have specific licences:

• Microsoft Intune P1: Multi-Admin Approval is part of Intune Plan 1. See other subscription and licensing options for Intune here: Microsoft Intune Plans and Pricing.
• Entra ID Premium P1 or P2: Required for the identity and access management that integrates with Intune for multi-admin workflows.

Ensure your organisation has the appropriate licences to leverage MAA to its fullest potential.

Step-by-Step Tutorial: Setting Up Multi-Admin Approval in Microsoft Intune

Step 1: Access Microsoft Endpoint Manager Admin Centre

1. Sign in to the Microsoft Endpoint Manager admin centre using your admin credentials.
2. Navigate to Tenant Administration in the left-hand menu.

Step 2: Create Multi Admin Approval access policy

1. Select Multi-Admin Approval under Settings.
2. Click Access Policies & Create

Step 3: Define Access Policy

• Apps – Applies to app deployments, but doesn’t apply to app protection policies.
• Scripts – Applies to deploying scripts to devices that run Windows.

Step 4: Assign Approval Admins

1. Assign at least one EntraID security group that contains a list of administrators that are Approvers for any approval requests. This group must be a member group of at least one Intune Role assignment.

Step 5: Approve Requests

1. To find approval requests, in the Microsoft Intune admin center go to Tenant administration > Multi Admin Administration > Received requests.
2. Select the link in the Name column for a request to open the review page where you can learn more about the request and manage approval or rejection.

Conclusion

Multi-Admin Approval in Microsoft Intune is a powerful tool that adds a critical security layer to your IT management practices. By requiring multiple approvals for high-risk actions, organisations can enhance security, reduce errors, and improve compliance. Ensure your licences are up-to-date, follow our setup guide, and you’ll be well on your way to implementing this essential feature in your IT environment.

The Future of Multi-Admin Approval (MAA)

Multi-Admin Approval (MAA) in Microsoft Intune is continuously evolving, with recent updates expanding its reach. As of August 2024, MAA now supports the ability to create a separate access policy for Windows apps or create a separate access policy for non-Windows platform apps. This is helpful for organizations that have a “desktop” administrative group that approves changes separate from a “mobile” administrators group. This enhancement provides administrators with the ability to enforce application access policies across a wider range of platforms, enhancing security by requiring additional admin approvals for any significant changes. Additionally, Multi-Admin Approval access policy changes require a second administrator to approve changes.

While specific details on the future roadmap of MAA have not been disclosed, Microsoft regularly refines and expands Intune’s features. To stay updated on the latest changes and upcoming enhancements for MAA, you can check the Microsoft 365 roadmap for more information on recent and upcoming updates.