Microsoft Intune Multi-Admin Approval workflow showing request submission and approval process for sensitive administrative actions

πŸ”§ Step-by-Step: Configure Microsoft Intune Multi-Admin Approval (MAA)

Posted 27 Mar 2026

Implementing Multi-Admin Approval (MAA) in Microsoft Intune introduces a critical security control by ensuring that sensitive administrative actions require approval from multiple administrators.

Below is a practical step-by-step guide to help you deploy and operationalise MAA in your environment.

βš™οΈ Step 1: Create an Access Policy

 

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to:
    πŸ‘‰ Tenant Administration β†’ Multi Admin Approval β†’ Access policies
  3. Select Create

 

🧱 Configure Basics

 

  • Provide:
    • Name (e.g. β€œMAA – Device Deletion Control”)
    • Optional Description
  • Select Profile type
    • ⚠️ Each policy supports only one profile type

 

πŸ‘₯ Configure Approvers

 

  • Select Add groups
  • Choose an Azure AD group that will act as approvers

⚠️ Important:

  • Only group-based assignment is supported
  • No advanced include/exclude logic

 

βœ… Review and Create

 

  • Review configuration
  • Select Create

πŸ” Approval Requirement

 

  • A separate admin account (with MAA approval permissions) must:
    • Sign in
    • Review
    • Approve the policy

βœ”οΈ Finalise the Policy

 

  • Return to the policy using the original admin account
  • Select Complete

 

πŸ‘‰ Once completed:

Any action tied to the selected profile type will now require multi-admin approval

 

πŸ“€ Step 2: Submit a Request

 

When MAA is enabled, admins must follow an approval workflow.

πŸ“ Submitting Changes

 

  1. Perform your normal action (e.g. delete device, modify config)
  2. On the final screen:
    • Enter Business Justification
  3. Select Submit

⚠️ Important Notes

 

  • If a request is already pending for the same object:
    • ❌ You cannot submit another
  • Intune will display a warning message

πŸ” Track Request Status

 

Go to:

πŸ‘‰ Tenant Administration β†’ Multi Admin Approval β†’ My requests

❌ Cancel a Request

 

  • Select request
  • Click Cancel request (if not yet approved)

βœ”οΈ Step 3: Approve or Reject Requests

πŸ”Ž Locate Requests

 

Navigate to:

πŸ‘‰ Tenant Administration β†’ Multi Admin Approval β†’ Received requests

🧾 Review Details

 

  • Select Business justification
  • Review:
    • Requested action
    • Target resource
    • Risk context

✍️ Take Action

 

  • Add notes in Approver notes
  • Select:
    • βœ… Approve request
    • ❌ Reject request

πŸ”„ Final Completion Step

 

After approval:

  • The requestor must select β€œComplete”
  • Intune then:
    • Executes the action
    • Updates status to Completed

πŸ“Š Verify Outcome

 

Check:

  • Intune notifications panel
  • Confirmation of:
    • Success βœ…
    • Failure ❌

πŸ›‘οΈ Operational Flow Summary

 

Admin Action β†’ Submit Request β†’ Approval Required β†’ Approved β†’ Complete β†’ Action Executed

🎯 Best Practices

 

  • Separate:
    • Requestor β‰  Approver
  • Use:
    • Privileged Identity Management (PIM)
  • Require:
    • Strong business justification
  • Monitor:
    • Approval logs regularly

πŸš€ Why This Matters

 

This process introduces:

  • πŸ” Protection against compromised admin accounts
  • πŸ‘₯ Human validation for sensitive actions
  • ⏱️ Time delay for detection and response
  • πŸ“Š Full audit trail for compliance

Click Here To Return To Blog

GET IN TOUCH

  • info@fabssolutions.co.uk
  • 079 3357 5993
Stay Connected