|
| 1 | +--- |
| 2 | +# required metadata |
| 3 | + |
| 4 | +title: About multiple administrative approvals in Intune |
| 5 | +titleSuffix: Microsoft Intune |
| 6 | +description: Configure multi-admin approval to protect against compromised administrative accounts in Intune |
| 7 | +keywords: |
| 8 | +author: brenduns |
| 9 | +ms.author: brenduns |
| 10 | +manager: dougeby |
| 11 | +ms.date: 08/17/2022 |
| 12 | +ms.topic: conceptual |
| 13 | +ms.service: microsoft-intune |
| 14 | +ms.subservice: fundamentals |
| 15 | +ms.localizationpriority: high |
| 16 | + |
| 17 | +# optional metadata |
| 18 | + |
| 19 | +#ROBOTS: |
| 20 | +#audience: |
| 21 | +ms.reviewer: craigma |
| 22 | +ms.suite: ems |
| 23 | +#ms.tgt_pltfrm: |
| 24 | +ms.custom: intune-azure |
| 25 | +ms.collection: |
| 26 | + - M365-identity-device-management |
| 27 | + - highpri |
| 28 | +--- |
| 29 | + |
| 30 | +# Use Access policies to require multiple administrative approvals |
| 31 | + |
| 32 | +*This feature is in Public Preview* |
| 33 | + |
| 34 | +To help protect against a compromised administrative account, use Intune *access policies* to require that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA). |
| 35 | + |
| 36 | +With MAA, you configure access policies that protect specific configurations, like Apps or Scripts for devices. Access policies specify what is protected and which group of accounts are permitted to approve changes to those resources. |
| 37 | + |
| 38 | +When any account in the Tenant is used to make a change to a resource that’s protected by an access policy, Intune won't apply the change until a different account explicitly approves it. Only administrators who are members of an approval group that’s assigned a protected resource in an access protection policy can approve changes. Approvers can also reject change requests. |
| 39 | + |
| 40 | +Access policies are supported for the following resources: |
| 41 | + |
| 42 | +- Apps – Applies to [app deployments](../apps/apps-add.md), but doesn't apply to app protection policies. |
| 43 | +- Scripts – Applies to deploying scripts to devices that run [macOS](../apps/macos-shell-scripts.md) or [Windows](../apps/intune-management-extension.md). |
| 44 | + |
| 45 | +## Prerequisites for access policies and approvers |
| 46 | + |
| 47 | +To create an access policy, your account must be assigned the *Intune Service Administrator* or *Azure Global Administrator* role. |
| 48 | + |
| 49 | +To be an approver, an account must be in the group that’s assigned to the access policy for a specific type of resource. |
| 50 | + |
| 51 | +## How multi admin approval and Access policies work |
| 52 | + |
| 53 | +**When an admin edits** or creates a new object for an area that’s protected by an access policy, they see an option on the *Save + Review* surface where they can enter a description of the change as a *business justification*. |
| 54 | + |
| 55 | +- The *business justification* becomes part of the approval request for the change. |
| 56 | +- An admin who has submitted a change can view the status of their requests in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) by going to **Tenant administration** > **Multi Admin Approval** and viewing the **My request** page. |
| 57 | + |
| 58 | +**After a change is submitted**, an *approver* navigates to the **Received request** page of the **Multi Admin Approval** node. Here they’ll see a list of requests that are active, or recently managed. This view provides some details about the request including when and who submitted it, the type of operation involved like *Create* or *Assign*, and its status. To manage the request: |
| 59 | + |
| 60 | +- The approver selects the *Business justification* link for the request. This action opens the Access policy request pane where you can view more information about the change, including the full details provided in the Business justification field of the request. |
| 61 | +- On the Access policy request pane, the approver can enter notes in the **Approver notes** field, and then select an option to **Approve request** or **Reject request**. These notes are added to the request and are visible to the individual who requested the change when they review their requests on the **My request** page. For example, if the request is rejected, the reason for the rejection can be passed back to the requestor through the Approver notes. |
| 62 | +- Individuals who submit a request and are also members of the approval group for that can see their own requests on the Received request page. However, they can't approve their own requests. |
| 63 | + |
| 64 | +**If a change is approved**, Intune processes the requested change and updates the object. While Intune processes the request, its status can display as **Approved**. After it’s successfully processed, the status updates to **Completed**. |
| 65 | + |
| 66 | +**Each change of status** remains visible for up to 30 days after the last change of status. If a request isn’t processed further within 30 days, it becomes **Expired**, and must be resubmitted. |
| 67 | + |
| 68 | +## Create an access policy |
| 69 | + |
| 70 | +1. To create an access policy, in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), go to **Tenant administration** > **Multi Admin Administration** > **Access policies** and select **Create**. |
| 71 | + |
| 72 | +2. On the *Basics* page, provide a *Name*, and optional *Description*, and for *Profile type* select from available options. Each policy supports a single profile type. |
| 73 | + |
| 74 | + <!-- The following screen capture shows a new policy with **Apps** selected for the profile type. --> |
| 75 | + |
| 76 | +3. On the *Approvers page*, select **Add groups** and then select a group as the group of approvers for this policy. More complex configurations that exclude groups aren't supported. |
| 77 | + |
| 78 | +4. On the *Review + Create* page, review, and then save your changes. After Intune applies this policy, configurations for the protected profile type will require multiple admin approvals. |
| 79 | + |
| 80 | +## Submit a request |
| 81 | + |
| 82 | +To submit a request when MAA is enabled, use your normal process to create or edit a resource. |
| 83 | + |
| 84 | +On the final page before you can save your changes, add details to the *Business justification* field and then submit the request. For urgent requests, consider reaching out to a known list of approvers to ensure your request is seen in a timely manner. |
| 85 | + |
| 86 | +When there's a request for the same object that is already pending approval, you won't be able to submit your request. Intune displays a message to alert you to this situation. |
| 87 | + |
| 88 | +To monitor the status of your requests, in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) go to **Tenant administration** > **Multi Admin Approval** > **My requests**. |
| 89 | + |
| 90 | +You can cancel a request before it’s approved by selecting it from the My requests page, and then selecting **Cancel request**. |
| 91 | + |
| 92 | +## Approve requests |
| 93 | + |
| 94 | +1. To find requests to approve, in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/) go to **Tenant administration** > **Multi Admin Administration** > **Received requests**. |
| 95 | + |
| 96 | +2. Select the *Business justification* link for a request to open the review page where you can learn more about the request, and manage approval or rejection. |
| 97 | + |
| 98 | +3. After reviewing the details, enter relevant details in the Approver notes field, and then select **Approve request** or **Reject request**. |
| 99 | + |
| 100 | +4. After you approve a request, Intune processes the change and updates the status to *Completed* after it’s successfully applied. The request status might change to *Approved* for a limited time if the update to the resource takes time to process. |
| 101 | + |
| 102 | +## More considerations |
| 103 | + |
| 104 | +- With the public preview, Intune doesn't send notifications when new requests are created, or the status of an existing request changes. We recommend that when submitting an urgent change request, you reach out to individuals who have permission to approve those requests. |
| 105 | + |
| 106 | +- Plan to monitor the status of your requests through the *My requests* page of the *Multi Admin Approval* node in the Microsoft Endpoint Manager admin center. |
| 107 | + |
| 108 | +- When an approval is already pending for an object, a new request is can't be submitted for it. |
| 109 | + |
| 110 | +- All actions for a protected resource are protected, including but not limited to: |
| 111 | + - Edit |
| 112 | + - Create |
| 113 | + - Modify |
| 114 | + - Delete |
| 115 | + - Assign |
| 116 | + |
| 117 | +- Actions for requests and the approval process are logged in the Intune audit logs. For more information, see [Audit logs for Intune activities](../fundamentals/monitor-audit-logs.md). |
| 118 | + |
| 119 | +- The following status conditions are available for a request: |
| 120 | + - Needs approval – This request is pending action by an approver. |
| 121 | + - Approved – This request is being processed by Intune. |
| 122 | + - Completed – This request has been successfully applied. |
| 123 | + - Rejected – This request was rejected by an approver. |
| 124 | + - Canceled – This request was canceled by the admin who submitted it. |
| 125 | + |
| 126 | +## Next steps |
| 127 | + |
| 128 | +Manage [role-based access control](../fundamentals/role-based-access-control.md) |
0 commit comments