A demonstration of Multi Admin Approval flows
Written by Connor Dean | Modern Workplace Specialist
Quick Recap
So we deployed our access policy for scripts in my last article providing an intro to MAA. Essentially, it requires two admins to setup and there's various options for configuration (see options below).
Now it's time to show the full flow of approval for both the admin requestor and the admin approver.
Requesting your change
The flow starts with the admin requestor making a change to something covered by the access policy. In this case, we will be adding a new remediation script for Windows devices.
Once you've created your policy, you will then see the following message including a tooltip.
Before this resource can be created, it must be approved by another admin. Before you can submit this request, you must enter your business justification.
A requestor must provide business justification, similar to how Entra ID requires justification for a PIM Role.
Your request is then seen under Tenant Administration within both Admin Tasks and Multi Admin Approval.
Approving a change
Now, your admin approver (within the approvers group) must review your request and provide an approval or rejection.
Same as the view that the requestor has, the request can be seen for the approver under Tenant Administration in the same places mentioned previously.
The approver can click on the hyperlink and then see the request, which includes details around the deployment settings, and contents depending on the type of request.
Within our script request, the content of the script can be seen plus parameters for how the script is run.
When a request is approved, it then shows the following message if you click on it.
The request is approved and the requestor can complete the request.
If a request is denied this can be seen instead.
The request was rejected.
And nothing further needs to be done for a rejected case, other than appeal the decision!
Completing your request (if approved)
Hooray, request approved. Now we need to complete the request and then we can assign it.
Complete the request by clicking on the hyperlinked name and then choosing Complete Request.
You will then see a pop up notification showing that your request is complete, and that your new creation has been done.
Finally, you can assign a group to your new configuration and call it a day.
Unfortunately, for something like a script access policy that means you need a second approval for the group assignment!
Conclusion
The process seems long winded if you're doing both requests and approvals however in practice for an organisation it should be less cumbersome as it can be built into your own internal processes.
The device deletion access policy is most ideal for organisations and something I'd highly recommend, everything else is personal preference.
I hope you enjoyed this quick run through.
