A new feature was recently introduced and is still in the Public Preview mode. Multiple Admin Approvals or MAAs. At this stage, this can be only applied to Apps and Scripts.
What this does is let you as an Admin create MAA policies to make sure changes to App policies and Scripts will go through more than one admin for approvals and making it a protected resource.
This really helps against Intune Environment getting compromised and bad attackers changing the policies to remove certain important policies and or to make sure mishaps won’t change a thing 😉
What I will Be Covering? 👇🏽
- Who Can Create MAA Policies?
- Who Can Approve Requests?
- What Activities Can Be Protected?
- MAA Process
- How to Configure MAA Policies?
- How to Test?
- Statuses of the My Requests Section
- MAA Statuses for a Request
- Wrapping Up What’s Lacking At This Stage?
Who Can Create MAA Policies?
- Intune Service Administrator
- Global Administrator can set the MAA policies
Who Can Approve Requests?
To be an approver, an account must be an Administrator and must be a member of the approval group that’s assigned to the access policy for a specific type of resource.
What Activities Can Be Protected?
When the policy is set and defines what type of resources you need to protect (Apps or Script) and when an admin tries to perform one of the above tasks, the policy will ask for a Business Justification before it sends out the notification to the members in the approvals group.
How to Configure MAA Policies?
- Login to the Intune Portal
- Navigate to Tenant Administration
- Select Multi Admin Approval from the mid-blade
- Navigate to Access Policies > Create
Select App from below
Add the specific group that has users for MAAs
Once press create, the policy will be done.
How to Test?
Login to the portal from a different account that is not an Intune Admin or a Global Admin. This can be an account that has Intune RBAC. If you try to perform any of the above-mentioned tasks, it will ask for the Business Justification.
When trying to add an app I got the below final screen. Notice the warning as well as the Business Justification box at the end.
The member in the previously defined group, an Intune Administartor or a Global Administrator can navigate to the same place to see the Recieved Requests
Decision blade will look like below. This will also display the change that took place in JSON.
Once the decision is made, the app is available in the portal or will be canceled.
Same with other activities as well (Delete, Edit, Assign and Modify)
Statuses of the My Requests Section
This shows requests made by an admin from their login.
MAA Statuses for a Request
- Needs approval – This request is pending action by an approver.
- Approved – This request is being processed by Intune.
- Completed – This request has been successfully applied.
- Rejected – This request was rejected by an approver.
- Canceled – This request was canceled by the admin who submitted it.
Wrapping Up What’s Lacking At This Stage?
Security comes first and as your devices get matured in Intune, you might add important policies for both users and devices. Furthermore, this can be a great addition to your Change Processes so policy activities can be streamlined because protecting the policies is a must. This is a good start and I believe the same functionality will be extended to Security Policies, Device Configuration Profiles, App Configuration Profiles, and App Protection Profiles when it’s ready for General Availability.