Create Multi-Admin Approvals for Intune Apps with PowerShell

In this tutorial, I will show you how to create multi-admin approval access policies in Microsoft Intune using the Microsoft Graph PowerShell SDK. This is perfect if you want to automate your build process and keep multiple tenants to the same standard while avoiding potential user mistakes.

If you want to jump to the script, click here.

What are Multi-Admin Approvals in Intune?

Multi-admin approval access policies in Intune allow you to ensure a second administrator approves the deployment of apps and scripts to endpoints within Intune. 

By creating this secure workflow, you are ensuring you are protecting your endpoints from malicious or compromised administrators, it does this by allowing a second person (maybe in compliance or security) to validate that the app or script is approved, validated or documented.

Multi-admin approvals apply when any user account in your tenant is used to create a resource that is protected by an access policy. 

How do Multi-Admin Approvals Work?

When you create a multi-admin approval in Intune, you define what type of resource you want to protect (be it an App or Script). You then define which users are able to approve the requests, by selecting a group.

Then when a user then goes to create an app or script, they will be presented with a text box to fill out the business justification for the application. 

The approval admin will then log in to their multi-admin approval requests and decide whether to approve or deny the request. They will also be able to see the business justification from the creator.

How to create a multi-admin approval access policy in the Intune admin center

To create a Multi-Admin approval access policy from within the Intune admin center, follow these steps:

1. Login to endpoint.microsoft.com.

2. From the left-hand menu, select Tenant administration.

Select Tenant administration
Select Tenant administration

3. Select Multi Admin Approval.

Select Multi-admin approval
Select Multi-admin approval

4. Select the Access policies tab at the top, then click on Create to launch the multi-admin approval policy creation wizard.

Create a multi admin approval access policy

5. Enter a meaningful name for your access policy then select a profile type which this policy will apply to. You can select either Apps or Scripts.

Access policy creation wizard
Access policy creation wizard

6. On the Approvers tab, click Add groups and select the group that includes the users that you wish to be able to approve the access requests.

Choose your approvers group

7. On the final page, click Create. You will then see the approval policy listed on the Access policies tab.

Access policies page
Access policies page

How to create a multi-admin approval access policy with PowerShell

If you want to be able to deploy the approval policy from PowerShell using the Microsoft Graph PowerShell SDK, you can use the below script which is also available on my GitHub Page here.

#Author:    Daniel Bradley
#Website:   https://ourcloudnetwork.com
#LinkedIn:  https://www.linkedin.com/in/danielbradley2/

#Define settings
$DisplayName = "test2"  #Enter the desired policy name
$Description = "test1"  #Enter the desired policy description
$PolicyType  = "Apps"  #Enter either 'Apps' or 'Scripts'
$ApproversGroup = "Approval Admins" #Enter the exact name of the approvers groups

#Checks for Microsoft Graph
if (Get-Module -ListAvailable -Name Microsoft.Graph.Devices.CorporateManagement) 
{
} else {
        Install-Module -Name Microsoft.Graph.Devices.CorporateManagement -Scope CurrentUser
        Write-Host "Microsoft Graph Authentication Installed"
}

#Imports Module
Import-Module Microsoft.Graph.Devices.CorporateManagement, Microsoft.Graph.Groups

#Select Beta Profile
Select-MgProfile -Name Beta

#Connect to Microsoft Graph
Connect-MgGraph -Scopes DeviceManagementConfiguration.ReadWrite.All, Group.Read.All

#Store Target group
$targetgroup = Get-MgGroup | Where-Object {$_.DisplayName -eq $ApproversGroup}

#Define the URI
$uri = "https://graph.microsoft.com/beta/deviceManagement/operationApprovalPolicies"

#Define policy parameters
$json = 
@{
  "@odata.type" = "#microsoft.graph.operationApprovalPolicy"
  displayName = "$DisplayName"
  description = "$Description"
  policyType = "$PolicyType"
  approverGroupIds = @($targetgroup.id)
 } | ConvertTo-Json

#Create policy
$companyportal = Invoke-MgGraphRequest -Uri $uri -Body $json -Method POST -ContentType "application/json"

The end user experience once you have enabled your access policy

Once you have your policy in place, it will take about 5 minutes before the change affects your end users. Ensure they sign out of their admin browser sessions and sign back in also.

When a user creates either a script or app deployment within Intune, on the Review + create page they will see the following text box enabling them to submit their request for approval.

Submit request for approval
Submit request for approval

For the approval admin, when they return to the Multi-admin approvals page, they will see the received request with the state of Needs approval.

View received requests
View received requests

Strangely, the approver will need to click on the hyperlinked text under the Business justification heading to be presented with the option to approve the request. They can then enter some relevant notes and click Approve request.

Approve request by approver
Approve request by approver

Unfortunately, right now, there is no native option to create email notifications, or no notification at all from within the admin centre to advise the approval admin of the received request. However this could easily be done by monitoring the audit log.

Leave a Reply