Monday, December 12, 2022

The new multiple administrative approvals experience

Imagine a compromised administrative account going wild in your Intune environment. Wouldn't it be great to protect your configuration with a second factor, like MFA? Join me while I experience the new Multiple Administrative Approvals (MAA) feature for Intune which is out in public preview! 


By using Intune access polices we can require a second administrative account to approve changes in the environment before they are applied to the production environment. This can give associations to MFA (Multi Factor Authentication), but let's welcome MAA (Multiple Administrative Approvals) instead.

The goal for MAA is to protect specific configurations. At the time of writing the feature of MAA is in public preview and the available options is to protect Apps and Scripts for devices. I do hope this will be extended to other parts of Intune as well. It seems natural to add this security layer also to Security Policies, Device Configuration Policies, App Configuration Policies, App Protection Profiles and so on.

The introduction of MAA will have an impact on the change process around Intune since changes now needs to be validated before they are effectively implemented. 

Defining approvers

The approval can only be performed by another user account than the one creating the change. This introduces two MAA roles:

  • The change requester which must be assigned the Intune Services Administrator or Azure Global Administrator role.
  • The approver which must be in an approval group assigned to the access policy. The user must also have the same privileged roles as the change requestor. It is not enough to just be a member of the approval group.

I will create a separate Azure AD group for addressing the approvers in my test environment.

This group will now be used when setting up the Intune Access Policies

Define Intune Access Policies

I will now define my first Intune Access Policy. By navigating to Tenant Administration - Multi Admin Approval - Access Policies in the Intune Portal, I find the option to create a new policy.

I will now select the profile type of Apps to limit any action on an application in Intune. This will include actions like create, edit, assign and delete on applications.

Next I will select the group of approvers for this access policy.


The access policy will now appear in the Intune portal like this:


Verify the MAA experience

Add a new application

Now that applications are protected by MAA, it's time to test this new experience by adding a new application. I will add an application using the new Microsoft Store experience which I covered in this blog post: Simon does...: The new Microsoft Store Experience (skotheimsvik.blogspot.com)

As a result of the new MAA access policy, I now have to provide a business justification before the app can be submitted for approval.


After saving the application, I can find my requests in a list at Tenant administration - Multi Admin Approval - My requests:

It is possible to open own requests to review them.


The only operation allowed on own requests, is to cancel it.

The status of the changes will remain visible for up to 30 days after the last change status.

The applications are listed as normal in the applications list.

I would have wished for an updated status in the application list above, but I have to click the application to get this kind of detailed information today.

If I click that information, I get the same JSON information as showed above.

Delete or change and application

If I try to delete an application, it will lead to an approval request with a business justification.

Approval of requests

All requests waiting for approval are listed under Tenant Administration - Multi Admin Approval - Received requests in the Intune portal.

As mentioned, I am not allowed to approve my own requests. I have to ask a colleague with the correct RBAC role, and which is a member of the app approval group to handle this. Please note that there is no automatic notifications in the solution today.

When the approver opens one of the approval requests, he can add an approver note and either approve or reject the request:

The list will be updated with the new status, and the approver note will be visible when checking the details of the request.

Verify the application 

The application is now available in the list of all apps.


Now the app needs to be assigned and guess what - this will kick of a new change request that needs to be verified by MAA.

Once approved by the approver, the change requestor will be notified in his own portal if he stays signed in.


Concluding the experience

The new MAA feature will be a welcomed contribution to increase the security operations in Intune - especially if the solution is extended to more areas as mentioned at the start, and not only covering apps and scripts.

It would be great to have automatic notifications on pending approvals. This is not present in the system today. This might be an area where the community can shine by providing a customized solution.

The log over received requests and actions performed is not special good as I see it in the public preview today. It is missing vital data in the overview, making it hard to read and draw the lines of actions performed.


However, when it comes to logs of tasks performed in Intune, I would rather rely on my colleagues' fabulous Intune Audit Dashboard published for the community at msendpointmgr.com. I guess this solution will be updated to cover this new feature pretty soon.

The importance of this function is nevertheless highly relevant with its extra layer of security applied to the change process around Intune.


No comments:

Post a Comment