Imagine a compromised administrative account going wild in your Intune environment. Wouldn’t protecting your configuration with a second factor, like MFA, be great? Join me while I experience Intune’s new Multiple Administrative Approvals (MAA) feature, which is out in public preview!
Table of content
The MAA technology
By using Intune access policies we can require a second administrative account to approve changes in the environment before they are applied to the production environment. This can give associations to MFA (Multi-Factor Authentication), but let’s welcome MAA (Multiple Administrative Approvals) instead.
The goal of MAA is to protect specific configurations. At the time of writing, the feature of MAA is in public preview and the available options are to protect Apps and Scripts for devices. I hope this will also be extended to other parts of Intune. It also seems natural to add this security layer to Security Policies, Device Configuration Policies, App Configuration Policies, App Protection Profiles, etc.
The introduction of MAA will impact the change process around Intune since changes now need to be validated before they are effectively implemented.
Another user account can only perform the approval than the one creating the change. This introduces two MAA roles:
- The change requester must be assigned the Intune Services Administrator or Azure Global Administrator role.
- The approver which must be in an approval group assigned to the access policy. The user must also have the same privileged roles as the change requestor. It is not enough to just be a member of the approval group.
I will create a separate Azure AD group for addressing the approvers in my test environment.
This group will now be used when setting up the Intune Access Policies
Define Intune Access Policies
I will now define my first Intune Access Policy. By navigating to Tenant Administration – Multi Admin Approval – Access Policies in the Intune Portal, I find the option to create a new policy.
I will now select the profile type of Apps to limit any action on an application in Intune. This will include actions like create, edit, assign and delete on applications.
Next I will select the group of approvers for this access policy.
The access policy will now appear in the Intune portal like this:
Verify the MAA experience
Add a new application
Now that applications are protected by MAA, it’s time to test this new experience by adding a new application. I will add an application using the new Microsoft Store experience which I covered in this blog post: Simon does… The new Microsoft Store Experience (skotheimsvik.no)
As a result of the new MAA access policy, I now have to provide a business justification before the app can be submitted for approval.
After saving the application, I can find my requests in a list at Tenant administration – Multi Admin Approval – My requests:
It is possible to open own requests to review them.
The only operation allowed on own requests, is to cancel it.
The status of the changes will remain visible for up to 30 days after the last change status.
The applications are listed as normal in the applications list.
I would have wished for an updated status in the application list above, but I have to click the application to get this kind of detailed information today.
If I click that information, I get the same JSON information as showed above.
Delete or change an application
If I try to delete an application, it will lead to an approval request with a business justification
Approval of requests
All requests waiting for approval are listed under Tenant Administration – Multi Admin Approval – Received requests in the Intune portal.
As mentioned, I am not allowed to approve my own requests. I have to ask a colleague with the correct RBAC role, and which is a member of the app approval group to handle this. Please note that there is no automatic notifications in the solution today.
When the approver opens one of the approval requests, he can add an approver note and either approve or reject the request:
The list will be updated with the new status, and the approver note will be visible when checking the details of the request.
Verify the application
The application is now available in the list of all apps.
Now the app needs to be assigned and guess what – this will kick of a new change request that needs to be verified by MAA.
Once approved by the approver, the change requestor will be notified in his own portal if he stays signed in.
This will be a nice safety valve for configuration change.
Concluding the experience
The new MAA feature will be a welcomed contribution to increase the security operations in Intune – especially if the solution is extended to more areas, as mentioned at the start, and not only covering apps and scripts.
It would be great to have automatic notifications on pending approvals. This is not present in the system today. This area might be where the community can shine by providing a customized solution.
The log over received requests and actions performed is not special good as I see it in the public preview today. It is missing vital data in the overview, making it hard to read and draw the lines of actions performed.
However, regarding logs of tasks performed in Intune, I would rather rely on my colleagues’ fabulous Intune Audit Dashboard published for the community at msendpointmgr.com. I guess this solution will be updated to cover this new feature pretty soon.
The importance of this function is nevertheless highly relevant with its extra layer of security applied to the change process around Intune.