Intune Stuff | The Community place for Microsoft Intune, Intune Suite, Autopilot, macOS Management, Copilot for Security.

How to Set Up Intune Multi-Admin Approval with Ease – and a quirk

by | Aug 31, 2025 | Device Management, Featured Post, Intune, Intune Portal, Manuals, MDM, Microsoft, Most Popular, News, Top Stories, Windows 11 | 0 comments

HI Community,

Another day another blog, this time on Multi-Admin approval in Intune. This is not a new feature but Microsoft recently added some more functionality to it and for the better! In this blog i will give you some information on what it is and does, show you how to setup the needed Access policies and finaly i will give you some insight of the user experience, so let’s go!

If you as an Intune admin ever had the issue that someone accidentaly deleted an app, retired the wrong device, …? This is one for you, it will save you the hassle and time to go look in the audit logs searching for who did what. So what is Multi-Admin approval?

If you want to check out the offical Microsoft docs, you can find them here:

Use multiple administrative approvals in Intune - Microsoft Intune
Configure multi-admin approval to protect your tenant against the use of compromised administrative accounts in Intune.

What is Multi-Admin approval?

 

To keep your environment safer from a hacked or compromised admin account, or just accidental actions, Intune lets you use Multi-Admin Approval. In short, it means that before a sensitive change goes live, a second admin has to sign off.

With Multi-Admin, you set up access policies that protect certain configurations – like apps or device scripts. These policies define what’s protected and which group of admins can approve changes.

Here’s how it works: if someone makes a change to a protected resource, Intune won’t apply it right away. Instead, it waits for approval from a different admin who’s part of the assigned approval group. That second admin can either approve or reject the request.

Currently, Multi-Admin access policies can protect:

  • Apps – App deployments (but not app protection policies).
  • Device actions – Wipe, retire, and delete.
  • Scripts – Deploying scripts to Windows devices.
  • Access Policies – Creating or managing other Multi-Admin policies.
  • Role-based access control (RBAC) – Changes to roles, permissions, admin groups, or member assignments.

 

Configuration policies, Compliance policies are not included (yet). Personally i would also like to see that. Some people i have spoken on this topic where also saying that even assignments should be included however in an enterprise environment it would create a lot of overhead. Do make sure you have a backup of your Intune policies, there are (Community) tools out here which also let you export assignments.

 

Things to take in account.

 

Intune doesn’t send out alerts when a new request is created or when an existing request changes status. So, if you’re submitting something urgent, it’s best to ping an approver directly to let them know. You can always track your own requests in the Intune admin center under Tenant administration – Multi Admin Approval – My requests.

 

That there are no notifications is maybe a miss for some admins, for me personally i don’t think that is an issue. However for EPM request i would like to have seen some better way of notifications. I wrote a blog on how to make it better and i think it will be just a matter of time before anybody creates a notification flow for Multi-Admin approval. If you want to know more on the EPM notifications read my blog here:

Microsoft Enpoint Privileged Management (EPM) - Achieve better notifications
Hi Community Straight from the start i've been complaining on how Microsoft handles the notifications for EPM. This is done with toast notifications for the end user, with this type of notification al lot of stuff can happen that nobody is aware of the approval or deny of the request. For admins, the need to look to the intune portal to check is there is a request. In this step by step guide i will describe how to get the notification in Teams by using Azure Logic apps. The reason i’m writing this blog is because i’ve found a lot […]

 

A couple of things to know:

  • If there’s already a pending approval for an object, you can’t submit another request for it until that one is resolved.
  • All actions on protected resources are covered—edit, create, modify, delete, assign, and more.
  • Every step of the request and approval process is logged in the Intune audit logs.

 

Request statuses you’ll see:

  • Needs approval – Waiting for an approver to take action.
  • Approved – Intune is processing the request.
  • Completed – The change was successfully applied.
  • Rejected – An approver denied the request.
  • Canceled – The requestor canceled their own request.

 

 

Prerequisites

 

There aren’t a lot of prereqs to take in account.

  • To use Multi-Admin Approval, your tenant needs at least two admin accounts: One makes the change & the other approves it.
  • To create an access policy, your account needs the Intune Service Administrator role or the right Multi-Admin Approval permissions for an Intune role.
  • Admins who specifically manage Multi-Admin Approval policies also need the “Approval for Multi Admin Approval” permission.
  • To be an approver, your account has to be part of the approver group that’s tied to the access policy for the resource you’re protecting.

A quick note about approver groups:

  • They must be added as a member group of at least one Intune role assignment.
  • It doesn’t matter which role assignment.
  • If the group isn’t linked to any role assignment, its members will eventually get removed.

 

How does it work?

 

When an admin edits or creates something that’s protected by an access policy, they’ll see a spot on the Save + Review screen to add a business justification (basically, the reason for the change). That justification gets included in the approval request.

Requestors: After submitting a change, the admin can track it in the Intune admin center under Tenant administration > Multi Admin Approval > My requests.

Approvers: They go to the Received requests page, where they see pending or recent requests, along with details like who submitted it, when, and what type of change it is (e.g., Create, Assign).

From there:

  • The approver clicks the Business justification link to see the details.
  • They can add notes in the Approver notes field.
  • Finally, they choose to Approve or Reject  the request.

If rejected, their notes are shared back with the requestor so they know why. If someone is both the requestor and in the approver group, they’ll still see their request in Received requests, but they can’t approve their own changes.

When a change is approved, Intune processes it and updates the object. While it’s being worked on, the status shows as Approved. The original requestor must then click Complete to kick off the change. Once done, the status updates to Completed.

 

Statuses stick around for 30 days. If nothing happens in that time, the request expires and has to be resubmitted.

 

How to set it up.

Like i said, make sure you have at least 2 users with the correct roles in your tenant and put them in a security group e.g sg-multi admin approvers. Go to the Intune portal – Tenant Administration – Multi-Admin approval – Access policies – Create.

 

Multi-Admin

 

In the Create pane, give your policy a name and choose the policy type e.g. MAA – Devie Wipe and click next.

 

Multi-Admin

 

In the Approvers section add the group you have create with the admin users who can approve the requests.

 

 

Click next and in the Review + sbmit for approval enter a justification to create this rule and click Submit for approval.

 

This is a good thing, if this was not there you could just go ahead and create a lot of policies without any other admin being able to approve this and this is something you just don’t want for obvious reasons.

 

 

After you click Submit for approval it will take just a couple of seconds before the policy is created, you can check this in the notifications on the top right.

 

 

After creation you will get this:

 

 

Now we have a Multyi-Admin approval policy in place, this still needs to be approved, before we are goint to approve this let’s make another policy. This time for an app. So go back to the Intune portal – Tenant Administration – Multi-Admin approval – Access policies – Create. Give it a name e.g. MAA – Applications. you can toggle the swith for Windows are Non-Windows apps if you want to create seperate policies to distinguish other OS’s. Click next when you are done.

 

An app policy will require approval for applications, such as mobile apps or built-in apps. This could include create, edit, assign, and delete. App policies can be limited to only Windows platforms, non-Windows platforms, or can apply to all platforms.

 

 

 

Again add the group, you can also have different groups for different Multi-Admin approval actions, that is totally up to you. Click next.

 

 

At the Review + submit for approval section fill in your justification and click Submit for approval and wait a couple of seconds before the policy is created.

 

 

Now we have 2 policies waiting for approval, now is the time you tell your other admin that you have created these Multi-Admin policies. I have made a video on the user experience.

 

User – Admin Experience (And the quirk)

 

I ran into some errors here and also found out why. This is not documented in the Microsoft docs. Curious? See the video.

 

 

 

After i have added a license to the 2nd amdin user, i waited for another 10 minutes and i could approve the request.

 

 

And as you can see it is approved!

 

 

And i can complete it with the requester account.

 

 

Now you will be able to use Multi-Admin approval. I know it’s a little quirky but hey it’s still Microsoft, i also just checked/searched the docs and there is no mentioning of both admin users need licenses. As far as i know and also for security reasons you should always have separate accounts, 1 for your user and 1 for the admin and for me my admin accounts are normaly NOT licensed.

And as always if you feel there is something in error or you want to add some stuff from your own experience don’t hesitate to contact me!

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Buy me a Duvel 😉

Discover more from IntuneStuff

Subscribe now to keep reading and get access to the full archive.

Continue reading