The new multiple administrative approvals (MAAs)

Are you looking to add an extra layer of security to your device configurations in Microsoft Intune? The new multiple administrative approvals (MAAs) feature, introduced in the November 2211 service release, may be just what you need. In this blog post, we’ll walk you through the process of setting up and using MAAs to protect specific configurations like apps or scripts for devices. Multiple administrative approval (MAA) helps to protect in large environments with many administrators by requiring a second administrative account to approve changes before they are applied.

Currently in public preview, you can try out this new feature in your Intune tenant and provide feedback to Microsoft. Keep an eye out for updates on the general availability of MAAs, which will be announced by Microsoft in the near future.

How to configure MAA

To configure MAA you need Intune Service Administrator or Azure Global Administrator role.

  • Open the Intune Portal in the Browser
  • Navigate to Tenant administration -> Multi Admin Administration
  • Select Access policies
  • Click + Create
  • Enter a Name and select the Profile type (Apps or Scripts)
  • Select the group of MAA Admins which can approve requests
  • Click Next
  • Click Create
  • The creation of the Access policy is done

Create an request

Once an access policy for MAA has been created, it becomes active immediately. When an administrator edits or creates a new object in a protected area, they will see an option on the Save + Review page to enter a description of the change as a business justification. This is required for any changes made to apps, including adding or modifying existing apps or adding new ones. The requester can include additional notes on the changes made and the reasoning behind them. Only after the business justification has been provided can the approver approve or reject the request. Than lets test this.

  • Open the Intune Portal in the Browser
  • Navigate to Apps -> All Apps
  • Select a App for testing (In my case CMTrace)
  • Go to Properties and click Edit
  • Click Edit Description and change the description
  • Click Review +Save multiple times until you are on the Review + save page
  • To create an approval request you have to insert a Business justifaction
  • Click Save

Approve the request

  • Go back to the Multi Admin Approval menu in the Tenant administration
  • Here you will see your request
  • Click in the Business justifaction.
  • Here you will see all the changes which are made (Intresting part is that we also some changes which are not related to the description change)
  • In this case I saw my own request. To approve I have to login with an other MAA user.

One thought on “The new multiple administrative approvals (MAAs)

Comments are closed.