As businesses increasingly rely on remote work and mobile device management, ensuring the security of IT environments is more critical than ever. Microsoft Intune, a leading endpoint management solution, offers powerful tools to keep devices secure and compliant. Among these tools is Multi-Admin Approval (MAA), a security feature introduced in March 2023 that adds an additional layer of protection to your Intune environment by requiring multiple admin approvals for high-risk actions.
Despite its recent release, MAA is a valuable addition to Intune’s security capabilities, helping organisations prevent unauthorised changes, safeguard sensitive data, and maintain tighter control over critical administrative tasks. Whether you’re managing a small business or a large enterprise, understanding and implementing Multi-Admin Approval can significantly enhance your security posture. In this blog post, we’ll explore what Multi-Admin Approval is, how it works, its benefits, the required licences, and provide a detailed step-by-step guide to help you set it up.
What is Multi-Admin Approval in Microsoft Intune.
Multi-Admin Approval (MAA) is a security feature in Microsoft Intune designed to add an extra layer of security by requiring multiple admin approvals for specific critical actions. Essentially, MAA ensures that no single administrator can perform high-risk actions—like deleting sensitive policies or removing devices—without an additional approval step from another admin. This feature significantly reduces the risk of accidental changes or malicious activity within your environment.
What Does Multi-Admin Approval Do?
Multi-Admin Approval works by setting up workflows that mandate a second admin’s approval before executing sensitive tasks. When an admin attempts to perform a restricted action, a request for approval is generated. This request must be reviewed and approved by a second, authorised admin before the action can proceed.
Key actions that typically require MAA include:
- Deleting configuration profiles
- Removing compliance policies
- Modifying or deleting applications
- Enrolling or unenrolling devices from management
This approach enforces a checks-and-balances system, promoting accountability and ensuring critical tasks are thoroughly reviewed.
Access Policies and Resource Protection
Multi-Admin Approval protects various types of resources within Intune, such as Apps, Scripts, and Policies. The feature enforces access policies, which are designed to secure these resources by defining which actions require additional oversight. This helps organisations control administrative tasks that are deemed high-risk and ensures that sensitive configurations are not altered without proper authorisation.
Approval Process Details
The approval process involves several key steps, including the submission, review, and approval of requests. When an admin initiates a restricted action, they must provide a business justification, which is visible to the reviewing admin. Each request is tracked within the admin centre, where it can be approved, rejected, or left pending. This transparent process ensures that all changes are scrutinised and authorised properly.
Monitoring and Notifications
Monitoring the approval flow is crucial for maintaining control over administrative changes. The Microsoft Endpoint Manager admin centre allows admins to monitor all submitted, approved, and rejected requests. However, it’s important to note that Intune does not automatically send notifications for new or modified approval requests. Organisations should establish communication protocols among admins to manage approvals efficiently and avoid workflow delays.
Required Roles and Approval Flow
Implementing MAA requires configuring specific admin roles to participate in the approval process:
- Requester Role: The role responsible for initiating actions that need approval.
- Approver Role: The role assigned to review and approve or reject requests.
These roles can be customised based on your organisation’s structure, and workflows can be set up to define which actions require approval, who can request them, and who is authorised to approve them. Clear delegation of these roles helps maintain accountability and smooth approval flows.
Benefits of Multi-Admin Approval
- Enhanced Security: By requiring multiple approvals, MAA reduces the likelihood of unauthorised or accidental changes, thus protecting your organisation’s data and devices.
- Increased Accountability: MAA promotes transparency, as all requests and approvals are logged, creating a clear audit trail of administrative actions.
- Risk Mitigation: Minimises the potential for insider threats by distributing administrative power and limiting the impact of compromised admin credentials.
- Compliance Support: Helps organisations meet compliance requirements, such as those set by GDPR or ISO standards, which often mandate multi-factor approval processes for critical tasks.
- Operational Control: Allows organisations to maintain tighter control over administrative tasks, ensuring only approved changes are implemented.
Required Licences for Multi-Admin Approval
To use Multi-Admin Approval in Microsoft Intune, your organisation must have specific licences:
- Microsoft Intune Suite: Available as part of the Microsoft 365 E5 or as an add-on to Microsoft 365 E3. This suite includes advanced features such as MAA.
- Azure Active Directory Premium P1 or P2: Required for the identity and access management that integrates with Intune for multi-admin workflows.
Ensure your organisation has the appropriate licences to leverage MAA to its fullest potential.
Step-by-Step Tutorial: Setting Up Multi-Admin Approval in Microsoft Intune
Step 1: Access Microsoft Endpoint Manager Admin Centre
- Sign in to the Microsoft Endpoint Manager admin centre using your admin credentials.
- Navigate to Tenant Administration in the left-hand menu.
Step 2: Create Multi Admin Approval access policy
- Select Multi-Admin Approval under Settings.
- Click Access Policies & Create
Step 3: Define Access Policy
- Apps – Applies to app deployments, but doesn’t apply to app protection policies.
- Scripts – Applies to deploying scripts to devices that run macOS or Windows.
Step 4: Assign Approval Admins
- Assign at least one additional admin role that will be responsible for approving requests. This can be an existing Intune role such as Helpdesk Operator or a custom role.
- Ensure the assigned admins have appropriate permissions to approve the required actions.
Step 5: Approve Requests
- To find approval requests, in the Microsoft Intune admin center go to Tenant administration > Multi Admin Administration > Received requests.
- Select the Business justification link for a request to open the review page where you can learn more about the request, and manage approval or rejection.
Conclusion
Multi-Admin Approval in Microsoft Intune is a powerful tool that adds a critical security layer to your IT management practices. By requiring multiple approvals for high-risk actions, organisations can enhance security, reduce errors, and improve compliance. Ensure your licences are up-to-date, follow our setup guide, and you’ll be well on your way to implementing this essential feature in your IT environment.
The Future of Multi-Admin Approval (MAA)
Multi-Admin Approval (MAA) in Microsoft Intune is continuously evolving, with recent updates expanding its reach. As of August 2024, MAA now supports mobile devices, including iOS, Android, and macOS, alongside Windows. This enhancement provides administrators with the ability to enforce application access policies across a wider range of platforms, enhancing security by requiring additional admin approvals for any significant changes.
While specific details on the future roadmap of MAA have not been disclosed, Microsoft regularly refines and expands Intune’s features. To stay updated on the latest changes and upcoming enhancements for MAA, you can check the Microsoft 365 roadmap for more information on recent and upcoming updates.