Enhancing Security with Multiple Administrative Approval (MAA) in Microsoft Intune

May 28, 2025

Microsoft Intune’s **Multiple Administrative Approval (MAA)** feature adds an extra layer of security by ensuring that administrative changes require approval from a second account before being applied. This prevents unauthorized changes and protects sensitive configurations.

Here’s a **step-by-step guide** on how MAA works and how to set it up.

### **Step 1: Understanding Multiple Administrative Approval (MAA)**

MAA ensures that changes made to certain Intune configurations are reviewed by another administrator before taking effect. This applies to:

✔ **Apps** – App deployments (but not app protection policies)

✔ **Scripts** – Scripts deployed to Windows devices

✔ **Access Policies** – Creation and management of MAA policies

### **Step 2: Prerequisites for Using MAA**

Before setting up MAA, ensure:

✅ You have at least **two administrator accounts** in your tenant.

✅ The admin making changes **can’t approve their own requests**—a second account must approve.

✅ The account creating policies must have the **Intune Service Administrator or Azure Global Administrator role**.

✅ Approver accounts must be **in an approval group** assigned to the access policy.

### **Step 3: How MAA Works**

Whenever an admin makes a change to a **protected resource**, the request goes into a **pending approval state**.

1️⃣ **Admin submits a change** and provides a **business justification**.

2️⃣ **Intune holds the request** until another approved admin **reviews and approves** it.

3️⃣ If approved, **Intune applies the change**; otherwise, the request is **rejected or canceled**.

### **Step 4: Creating an Access Policy**

To enable MAA for specific resources:

🔹 **Go to** Microsoft Intune admin center > Tenant administration > Multi Admin Administration > Access policies.

🔹 Click **Create**.

🔹 Enter a **Name** and optional **Description**.

🔹 Select a **Profile type** (Apps, Scripts, or Access Policies).

🔹 Click **Add groups** and select **approver groups** for this policy.

🔹 Review and **Save** the policy.

After setting up, any changes to the protected configuration will require **multiple approvals** before being applied.

### **Step 5: Submitting a Change Request**

Whenever MAA is enabled, follow these steps to submit a request:

✅ Make **changes** to a resource in Intune.

✅ On the final page, enter a **business justification**.

✅ Submit the request—**it will be pending approval** from another admin.

Admins can track their **pending requests** via **Microsoft Intune admin center > Multi Admin Approval > My Requests**.

### **Step 6: Approving or Rejecting Requests**

🔹 Go to **Microsoft Intune admin center > Multi Admin Administration > Received Requests**.

🔹 Click on the **Business justification** for the request.

🔹 Review details and enter notes in the **Approver notes field**.

🔹 Select **Approve** or **Reject** the request.

Once approved, the requestor must **confirm the change** by selecting **Complete**, after which **Intune will process the request**.

### **Step 7: Monitoring Status Updates**

Each change request will have one of the following statuses:

✔ **Needs approval** – Waiting for an admin to approve.

✔ **Approved** – Awaiting final confirmation from the requestor.

✔ **Completed** – Successfully applied.

✔ **Rejected** – Declined by the approver.

✔ **Canceled** – Withdrawn by the requestor.

Requests remain visible for **30 days**, after which they expire if not processed.–

### **Final Considerations**

🔹 **No automatic notifications** are sent—admins should monitor the **My Requests** page.

🔹 If an object already has a pending request, no new requests can be submitted for it.

🔹 All actions—edit, create, delete—are logged in **Intune audit logs** for tracking.

With **Multiple Administrative Approval (MAA)**, organizations can ensure **greater security and accountability**, preventing **unauthorized changes** and **protecting critical configurations**.