Intune: Multi Admin Approval

How to setup Intune Multi Admin Approval for scripts.

Microsoft Intune Multi Admin Approval enables administrators to create an approval layer when uploading scripts or apps in Microsoft Intune. The use of Multi Admin Approval assists in safeguarding a compromised administrative account. With Intune admin approval, a second administrator must review and approve the script or app before it can be utilized within Microsoft Intune.

Create a Access Policy for Scripts
Go to Tenant Administration > Multi Admin Approval > Access Policies and click on + Create.

Select a group of employees who are authorized to approve actions in Microsoft Intune.

Review your settings and click on create; your Multi-Admin access policy has been created.

Upload a Powershell script

Navigate to Devices > Scripts > + Add > Windows 10 and later.

Upload your script.

Under Review + Add, you now need to provide a Business Justification.

Business justification > Submit for approval

Manage Approval requests

With the account under which you uploaded a script, you cannot perform approvals. This needs to be done by another administrator account.

However, you can check the status of your request under “My Requests.”

Now, let’s log in with another admin account and go to Multi Admin Approval. Here, we can see the request made by my other account.

If we click on the script, we can view the details of the request. We can see who created it, the type of script it is, and how it intends to run.

Additionally, we can review the code of the PowerShell script.

If everything is in order, a note should be provided, and the script can be approved.

Switching back to the other account, the request has changed to Approved!

Here, we can read the notes from the approver and mark the request as Complete. After completing, the script becomes visible under the scripts section at Devices > Scripts. It can then be assigned to devices.

Delete a script

Multi Admin Approval is not only for adding scripts but also for removing them. If you want to delete a script, you need to provide a justification and create an approval submission.

The process remains the same; the other admin must approve the request before the script can be deleted.