Welcome to Multi Admin Approval in Intune
Written by Connor Dean | Modern Workplace Specialist
Introduction
Microsoft has recently been pushing this Multi Admin Approval banner onto your Intune homepage, and for good reason....
More and more, we hear of incidents where bad actors have gained access to an Intune Admin environment and within minutes policies are gone, devices are wiped and deleted, leaving admins with a mountain of work to restore and rebuild.
Multi Admin Approval is Microsoft's '2FA' for potentially damaging administrative tasks, to ensure that Intune Admins aren't left with egg on their face.
It ensures that a second authorisation is required for certain actions depending on your configured policies, then it ensures that you can review your change before it is implemented potentially avoiding accidental errors.
What does the implementation look like?
Building the policy starts within the Intune Admin Centre under Tenant Administration.
Multi Admin Approval can be found in the list of categories. This is where approvals, your requests and policies can be seen.
Under access policies, you can create policies for a range of administrative actions, like Scripts for example:
A security group is required for your approvers (and no, you cannot approve your own requests ..... unless you have two accounts in the same approvers group).
And upon reviewing, you will be required to get approval for the new policy.
The request can be seen within your 'My Requests' tab under the Multi Admin Approval area. For this to be approved, an Admin user with the Approval for Multi Admin Approval permission needs to action it.
In the final stages it goes to approval this is what it looks like this for the other admin.
The request can be seen within Admin Tasks.
Clicking on the task then shows the approval pane where it can either be approved or denied, and requires some justification.
After approval is provided, the requestor can then complete their implementation by refreshing their 'My Requests' view and selecting their task, then choosing 'Complete Request'.
Justification is now required for any actions related to our chosen category, the access policy is successfully implemented.
Conclusion
Multi Admin Approval is a welcome feature, one that I will cover more deeply around the different categories that can be configured against.
I'd recommend reviewing this feature as it could save your organisation a lot of hassle!
/
For more on those categories, and the implementation in Microsoft's own words, then please see this Microsoft Learn article.
