Intune Training: Configuring Multi-Admin Approvals

Introduction

In this blog, we will discuss the steps to configure multi-admin approvals in Microsoft Intune. Multi-admin approval access policies in Intune allow us to ensure that a second administrator approves the deployment of apps and scripts to endpoints within Intune. By creating this secure workflow, we are protecting our endpoints from malicious administrators.

Benefits of Multi-Admin Approvals

Intune’s multi-admin approvals feature ensures that a second person validates the deployment of apps and scripts. This validation process helps in enhancing the security of our endpoints. Here are some key benefits of using multi-admin approvals in Intune:

1. Protection from compromise: Multi-admin approvals protect endpoints from the compromise of administrators by requiring a second person to validate the deployment of apps and scripts.
2. Secure workflow: By implementing multi-admin approvals, we establish a secure workflow that ensures only approved and validated apps and scripts are deployed to endpoints.
3. Access policy enforcement: Multi-admin approvals apply when any user account in our tenant creates or makes changes to a resource protected by an access policy. This ensures that changes are not implemented until a different account explicitly approves them.

Creating a Multi-Admin Approval Access Policy

To configure multi-admin approvals in Intune, follow these steps:

1. Access the Microsoft Endpoint Manager admin center: To begin, access the Microsoft Endpoint Manager admin center by visiting the URL https://endpoint.microsoft.com.
2. Create an access policy:Once in the admin center, navigate to the “Tenant Administration” section and click on “Multi-Admin Approval.” Then, click on “Access Policies” to create a new access policy.
3. Enter policy details:On the “Basics” page, enter a meaningful name for the access policy. Next, select a profile type to which the policy will apply. In this example, we will select “Apps” as the profile type.
4. Specify an approver group: To enable multi-admin approval for a specific type of resource, we need to specify an approval group. This group will have the authority to approve or reject approval requests. Select the appropriate group from the list and click “Next” to proceed.
5. Review and create the policy: On the “Review + Create” page, review your configuration and click “Create” to save the changes. Wait for the confirmation message indicating that the access policy has been successfully created.
6. Confirmation and verification: After creating the access policy, you can verify its creation by checking the “Access Policies” tab. You should see the newly created access policy listed there.

Submitting a Change Request for Approval

To submit a change request for approval, follow these steps:

1. Login to Intune: Login to the Microsoft Endpoint Manager admin center using an account that has the Intune application manager role assigned to it.
2. Add or edit an app: Once logged in, you can either add a new app or edit an existing app. Navigate to the “Apps” section and select the desired app.
3. Provide business justification: On the “Review + Create” page, enter a business justification for the changes being made. This justification helps the approver understand the purpose and need for the change.
4. Submit the request: After providing the business justification, click on “Submit for Approval” to send the request for approval. Wait for the confirmation message indicating that the request has been successfully submitted.
5. Monitoring the request: You can monitor the status of your request by navigating to the “My Request” tab in the “Multi-Admin Approval” section. Here, you can see whether the request is pending, approved, or completed.

Approving the Change Request

To approve a change request, follow these steps:

1. Access the approval interface: As an approver, you can access the approval interface by navigating to the “Multi-Admin Approval” section and clicking on the “Received Request” tab.
2. Review the request:In the approval interface, you will see a list of requests that need approval. Click on the business justification link for a request to open the review page. Here, you can review the details of the change and manage the approval or rejection.
3. Approve or reject the request: After reviewing the details, enter any relevant comments or information in the appropriate fields. Then, select either “Approve Request” or “Reject Request” based on your evaluation of the change.
4. Confirmation and completion: After approving the request, wait for the confirmation message indicating that the request has been successfully approved. Intune will process the changes and update the request status to completed.

Conclusion

Configuring multi-admin approvals in Microsoft Intune provides an added layer of security for deploying apps and scripts to endpoints. By requiring a second administrator to approve the changes, we can ensure the integrity and safety of our endpoints. Follow the steps outlined in this blog to set up multi-admin approval access policies and streamline the approval process in Intune. Remember, multi-admin approvals protect your organization from compromised administrators and ensure that only validated and documented changes are implemented. Implement this powerful feature in your Intune environment to enhance the security of your endpoints. Thank you for reading this blog on configuring multi-admin approvals in Microsoft Intune. Stay tuned for more informative content on Intune training.

Intune Training Demo

Join our Intune WhatsApp Community

• WhatsApp

Join our Intune Telegram community

• Telegram

Join Our LinkedIn Group

• LinkedIn