What’s up, everyone!
In this blog I will have a look at multi admin approval in Microsoft Intune. As an admin you can make sure that another admin has to approve a change for apps or scripts based on access policies. Let’s see how it works!
Prerequisites
Admins need to be at least an Intune Service Administrator or Azure Global Administrator to be able to create access policies.
Accounts that should be able to approve changes should be a member of the group that is configured in the access policy.
Creating an access policy
As an admin you can create access policies for apps and scripts. Or both if you want to combine policies. Let’s create an access policy for scripts.
Go to the Microsoft Intune admin center, Tenant administration, Multi Admin Approval. This will bring you to the Received requests overview which should be empty at this point.
We have three tabs at the top of the screen;
- Received requests; shows the requests that have been made.
- My requests; shows the requests you yourself have made.
- Access policies; create, change or delete access policies.
Click the + Create button. Let’s start by creating an access policy for scripts. Give the policy a meaningful name, description if you want and select scripts in the drop down box.
Add a group to the policy. This group will contain users that can approve requests. You cannot add single user accounts.
Finish up by taking a moment to admire your awesome work and click the create button if you are happy with the policy.
Once the rule is created, you’ll be able to see it in the Access policies overview.
Creating an access policy for apps is entirely the same as creating an access policy for scripts so I will skip this step. Let’s check if we see get multiple admin approval in action instead!
Creating a new resource
Let’s go to Devices, Windows, PowerShell scripts. I don’t have scripts configured which is good for this demo.
Click the + Add button in the ribbon on the top to add a new script. Enter a name and a description if you want and click Next.
Browse to the script and select the options you need for this script to work.
As always, take a minute to admire your awesome … oh wait! The policy is already in effect so now we get a nice reminder that another admin has to approve this resource. We need to write down a business justification in the text box below.
Just add a business justification. Now take a moment to admire your awesome work and if click the Submit for approval button if you are happy with it.
Approving a request
Approving a request as the admin who created the request
Let’s head back to Tenant administration, Multi Admin Approval. We can now see the requests in the Received request tab. We can see;
- When the request was created
- The resource type
- Operation (Create, edit, modify, delete etc)
- The business justification
- Who made the request
- The status of the request
You cannot approve your own request of course but you can check the business justification by clicking on the text. I really like that the admin can review the content of the script before making a decision to approve or reject the request. I just wrote some generic text and saved the file as a PowerShell file.
In a real-world scenario an admin would cancel the request of course. But for demo purposes, let’s continue.
The My requests tab shows all the requests that I created. Since I only created one request this tab looks the same as the first tab and the layout is basically the same as the My requests tab. I can see how this overview makes it pretty easy to follow up on the different requests that an admin created.
Approving the request as a different admin
I signed in using a different admin account that is a member of the group I configured in the access policy and headed back to Tenant admin, Multi Admin Approval. The request pops up in the Received requests tab and I can see the content when I click the business justification. The admin can now add a note as to why the request was approved or rejected.
Since the content of the script wasn’t as brilliant as expected, I’d probably reject the request.
The status changes to Rejected in the overview. It’s still possible to click on the business justification to get more info about the request. The approver notes are visible but cannot be changed. So you’d probably want to determine what kind of information you approvers to write down.
If a request exists longer than 30 days, it will expire.
Resources
I used the following resources for this blogpost: