{"id":3718,"date":"2026-05-19T16:49:27","date_gmt":"2026-05-19T21:49:27","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3718"},"modified":"2026-05-19T16:49:27","modified_gmt":"2026-05-19T21:49:27","slug":"how-to-set-up-multiple-administrator-approval-for-intune-device-actions","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3718","title":{"rendered":"How to Set up Multiple Administrator Approval for Intune Device Actions"},"content":{"rendered":"\n

Create the Dedicated Approver Security Group<\/h3>\n\n\n\n

This group will house all the administrators authorized to approve MAA requests.<\/p>\n\n\n\n

    \n
  1. Sign in to the\u00a0Microsoft Entra admin center<\/strong>.<\/li>\n\n\n\n
  2. Navigate to\u00a0Entra ID<\/strong>\u00a0>\u00a0Groups<\/strong>\u00a0>\u00a0All groups<\/strong>.<\/li>\n\n\n\n
  3. Click\u00a0+ New group<\/strong>.<\/li>\n\n\n\n
  4. Group type:<\/strong>\u00a0Select\u00a0Security<\/strong>.<\/li>\n\n\n\n
  5. Group name:<\/strong>\u00a0Give it a clear name (e.g.,\u00a0SG-Intune-MAA-Approvers<\/code>).<\/li>\n\n\n\n
  6. Membership type:<\/strong>\u00a0Select\u00a0Assigned<\/strong>.<\/li>\n\n\n\n
  7. Add the administrator accounts that will be authorized to\u00a0approve<\/em>\u00a0the requests to the\u00a0Members<\/strong>\u00a0list.<\/li>\n\n\n\n
  8. Click\u00a0Create<\/strong>.<\/li>\n<\/ol>\n\n\n\n

    Link the Approver Group to an Intune Role<\/h3>\n\n\n\n

    This step prevents the group from being \u201cinadvertently pruned\u201d from Intune\u2019s data sync, ensuring it remains visible and functional for the MAA policy long-term.<\/p>\n\n\n\n

      \n
    1. Sign in to the\u00a0Microsoft Intune admin center<\/strong>.<\/li>\n\n\n\n
    2. Navigate to\u00a0Tenant administration<\/strong>\u00a0>\u00a0Roles<\/strong>.<\/li>\n\n\n\n
    3. Select an existing, low-impact role, such as the\u00a0\u201cRead Only Operator\u201d<\/strong>\u00a0role.\u00a0(A custom role with zero permissions is also an excellent option)<\/em>.<\/li>\n\n\n\n
    4. Select the\u00a0Assignments<\/strong>\u00a0tab, and then click\u00a0+ Assign<\/strong>.<\/li>\n\n\n\n
    5. Give the assignment a name.\u00a0Click\u00a0Next<\/strong>.<\/li>\n\n\n\n
    6. Admin Groups:<\/strong>\u00a0Click\u00a0+ Select groups to include<\/strong>.<\/li>\n\n\n\n
    7. Find and select your new\u00a0Dedicated Approver Security Group<\/strong>\u00a0(e.g.,\u00a0SG-Intune-MAA-Approvers<\/code>). Click\u00a0Select<\/strong>.<\/li>\n\n\n\n
    8. Click\u00a0Next<\/strong>\u00a0through the remaining settings (Scope groups<\/strong>\u00a0and\u00a0Scope tags<\/strong>).<\/li>\n\n\n\n
    9. Review and click\u00a0Create<\/strong>.<\/li>\n<\/ol>\n\n\n
      \n
      \"How<\/figure>\n<\/div>\n\n\n

      Creating the Multi-Admin Approval Access Policy<\/h2>\n\n\n\n

      The Access Policy defines what<\/strong> action is protected and who<\/strong> is authorized to approve it. This step is performed by the initial administrator (the Requester).<\/p>\n\n\n\n

        \n
      1. Sign in to the\u00a0Microsoft Intune admin center<\/strong>.<\/li>\n\n\n\n
      2. Navigate to\u00a0Tenant administration<\/strong>\u00a0>\u00a0Multi Admin Approval<\/strong>.<\/li>\n\n\n\n
      3. Select the\u00a0Access policies<\/strong>\u00a0tab and click\u00a0+ Create<\/strong>.<\/li>\n<\/ol>\n\n\n
        \n
        \"How<\/figure>\n<\/div>\n\n\n

        Define the Policy Scope<\/h3>\n\n\n\n
          \n
        1. Name:<\/strong>\u00a0Enter a descriptive name.<\/li>\n\n\n\n
        2. Profile type:<\/strong>\u00a0Select\u00a0Device wipe<\/strong>. Click\u00a0Next<\/strong>.<\/li>\n\n\n\n
        3. Select the\u00a0Platforms<\/strong>\u00a0to which this policy will apply.<\/li>\n\n\n\n
        4. Click\u00a0Next<\/strong>.<\/li>\n<\/ol>\n\n\n
          \n
          \"How<\/figure>\n<\/div>\n\n\n

          <\/h3>\n\n\n\n
            \n
          • On the\u00a0Approvers<\/strong>\u00a0page, click\u00a0+ Add groups<\/strong>.<\/li>\n\n\n\n
          • Select the\u00a0Dedicated Approver Security Group<\/strong>\u00a0you created in Step 1.<\/li>\n\n\n\n
          • Click\u00a0Select<\/strong>, then click\u00a0Next<\/strong>.<\/li>\n<\/ul>\n\n\n\n

            Submit the Policy for Approval<\/h3>\n\n\n\n
              \n
            1. Review the settings on the\u00a0Review + submit for approval<\/strong>\u00a0page.<\/li>\n\n\n\n
            2. Provide a\u00a0Business justification<\/strong>\u00a0for\u00a0creating the policy itself<\/em>\u00a0(e.g., \u201cImplementing MAA as per security audit requirements to enforce separation of duties.\u201d).<\/li>\n\n\n\n
            3. Click\u00a0Submit for approval<\/strong>.<\/li>\n<\/ol>\n\n\n\n

              Activating the Dual Role Policy in Intune<\/h2>\n\n\n\n

              Since the policy creation is a security-impacting change, it requires approval before it can become active.<\/p>\n\n\n\n

              Review and Approve the Policy Creation (Approver Role)<\/h3>\n\n\n\n
                \n
              1. The\u00a0Approver Admin<\/strong>\u00a0signs in to the\u00a0Microsoft Intune admin center<\/strong>.<\/li>\n\n\n\n
              2. Navigate to\u00a0Tenant administration<\/strong>\u00a0>\u00a0Multi Admin Approval<\/strong>\u00a0>\u00a0All<\/strong>\u00a0requests<\/strong>.<\/li>\n\n\n\n
              3. Locate and select the pending policy creation request.<\/li>\n\n\n\n
              4. Add\u00a0Approver notes<\/strong>.<\/li>\n\n\n\n
              5. Click\u00a0Approve request<\/strong>.<\/li>\n<\/ol>\n\n\n
                \n
                \"How<\/figure>\n<\/div>\n\n\n

                Complete and Activate the Policy (Requester Role)<\/h3>\n\n\n\n
                  \n
                1. The\u00a0Requester Admin<\/strong>\u00a0signs back into the Intune admin center.<\/li>\n\n\n\n
                2. Navigate to\u00a0Tenant administration<\/strong>\u00a0>\u00a0Multi Admin Approval<\/strong>\u00a0>\u00a0My requests<\/strong>.<\/li>\n\n\n\n
                3. The request status will show as\u00a0Approved<\/strong>. Click the request.<\/li>\n\n\n\n
                4. Click\u00a0Complete<\/strong>.<\/li>\n<\/ol>\n\n\n
                  \n
                  \"How<\/figure>\n<\/div>\n\n\n

                  Executing a Protected Device Action (The Workflow)<\/h2>\n\n\n\n

                  When an admin attempts a protected action, the workflow immediately triggers:<\/p>\n\n\n\n

                  Initiating the Request (Requester Role)<\/h3>\n\n\n\n
                    \n
                  1. The Requester navigates to a device and selects a protected action (e.g.,\u00a0Device Wipe<\/strong>).<\/li>\n\n\n\n
                  2. A dialog box appears, showing the MAA requirement.<\/li>\n\n\n\n
                  3. The Requester enters a mandatory\u00a0Business justification<\/strong>\u00a0for the device action.<\/li>\n\n\n\n
                  4. The Requester clicks\u00a0Submit for approval<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                    The device action is halted. The request is visible in the My requests<\/strong> tab with the status Needs approval<\/strong>.<\/p>\n\n\n\n

                    Reviewing and Approving the Action (Approver Role)<\/h3>\n\n\n\n
                      \n
                    1. The Approver signs in and navigates to\u00a0Tenant administration<\/strong>\u00a0>\u00a0Multi Admin Approval<\/strong>\u00a0>\u00a0Received requests<\/strong>.<\/li>\n\n\n\n
                    2. They review the device, the action type, and the Requester\u2019s justification.<\/li>\n\n\n\n
                    3. They add\u00a0Approver notes<\/strong>\u00a0(e.g., \u201cVerified user termination date, proceeding with device retire.\u201d).<\/li>\n\n\n\n
                    4. They click\u00a0Approve request<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                      The request status changes to Approved<\/strong>.<\/p>\n\n\n\n

                      Finalizing and Executing the Action (Requester Role)<\/h3>\n\n\n\n
                        \n
                      1. The Requester returns to\u00a0My requests<\/strong>.<\/li>\n\n\n\n
                      2. The request status is\u00a0Approved<\/strong>. Click the request.<\/li>\n\n\n\n
                      3. Click\u00a0Complete<\/strong>.<\/li>\n<\/ol>\n\n\n\n

                        Intune executes the device action. The complete workflow is recorded in the audit logs.<\/p>\n\n\n\n

                        Conclusion:<\/h2>\n\n\n\n

                        By implementing Multiple Administrator Approval, you establish a true governance framework that secures your environment against human error and malicious intent. Every critical device action is now backed by an auditable workflow that confirms who requested it and who provided oversight. This is a non-negotiable step toward modern, compliant security.<\/p>\n","protected":false},"excerpt":{"rendered":"

                        Create the Dedicated Approver Security Group This group will house all the administrators authorized to approve MAA requests. Link the Approver Group to an Intune Role This step prevents the group from being \u201cinadvertently pruned\u201d from Intune\u2019s data sync, ensuring it remains visible and functional for the MAA policy long-term. Creating the Multi-Admin Approval Access […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[104],"tags":[],"class_list":["post-3718","post","type-post","status-publish","format-standard","hentry","category-intune"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3718","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3718"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3718\/revisions"}],"predecessor-version":[{"id":3719,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3718\/revisions\/3719"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3718"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3718"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3718"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}