How to Set up Multiple Administrator Approval for Intune Device Actions

In complex Microsoft 365 environments, administrative actions carry significant risk. A misconfiguration or an accidental click during a routine task can trigger immediate and severe consequences, such as an unintentional remote device wipe or the deletion of critical enrollment records. These single points of failure directly contradict modern Zero Trust security models.

To mitigate this risk, organizations can implement the Multi-Admin Approval (MAA) feature for high-impact tasks within Intune. Often referred to as Dual Admin Control or the ‘Four-Eyes’ principle, MAA ensures that sensitive actions—such as a Device Wipe, Retire, or Delete must be reviewed and explicitly approved by a peer administrator before execution.

This is a critical governance layer that provides an indispensable audit trail and robust protection against human error. This guide details the steps necessary to configure and operationalize MAA for device actions in your environment.

Prerequisites:

Before configuring the MAA policy, two prerequisites must be correctly established.

Create the Dedicated Approver Security Group

This group will house all the administrators authorized to approve MAA requests.

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Entra ID > Groups > All groups.
3. Click + New group.
4. Group type: Select Security.
5. Group name: Give it a clear name (e.g., SG-Intune-MAA-Approvers).
6. Membership type: Select Assigned.
7. Add the administrator accounts that will be authorized to approve the requests to the Members list.
8. Click Create.

Link the Approver Group to an Intune Role

This step prevents the group from being “inadvertently pruned” from Intune’s data sync, ensuring it remains visible and functional for the MAA policy long-term.

1. Sign in to the Microsoft Intune admin center.
2. Navigate to Tenant administration > Roles.
3. Select an existing, low-impact role, such as the “Read Only Operator” role. (A custom role with zero permissions is also an excellent option).
4. Select the Assignments tab, and then click + Assign.
5. Give the assignment a name. Click Next.
6. Admin Groups: Click + Select groups to include.
7. Find and select your new Dedicated Approver Security Group (e.g., SG-Intune-MAA-Approvers). Click Select.
8. Click Next through the remaining settings (Scope groups and Scope tags).
9. Review and click Create.

Creating the Multi-Admin Approval Access Policy

The Access Policy defines what action is protected and who is authorized to approve it. This step is performed by the initial administrator (the Requester).

1. Sign in to the Microsoft Intune admin center.
2. Navigate to Tenant administration > Multi Admin Approval.
3. Select the Access policies tab and click + Create.

Define the Policy Scope

1. Name: Enter a descriptive name.
2. Profile type: Select Device wipe. Click Next.
3. Select the Platforms to which this policy will apply.
4. Click Next.

• On the Approvers page, click + Add groups.
• Select the Dedicated Approver Security Group you created in Step 1.
• Click Select, then click Next.

Submit the Policy for Approval

1. Review the settings on the Review + submit for approval page.
2. Provide a Business justification for creating the policy itself (e.g., “Implementing MAA as per security audit requirements to enforce separation of duties.”).
3. Click Submit for approval.

Activating the Dual Role Policy in Intune

Since the policy creation is a security-impacting change, it requires approval before it can become active.

Review and Approve the Policy Creation (Approver Role)

1. The Approver Admin signs in to the Microsoft Intune admin center.
2. Navigate to Tenant administration > Multi Admin Approval > All requests.
3. Locate and select the pending policy creation request.
4. Add Approver notes.
5. Click Approve request.

Complete and Activate the Policy (Requester Role)

1. The Requester Admin signs back into the Intune admin center.
2. Navigate to Tenant administration > Multi Admin Approval > My requests.
3. The request status will show as Approved. Click the request.
4. Click Complete.

Executing a Protected Device Action (The Workflow)

When an admin attempts a protected action, the workflow immediately triggers:

Initiating the Request (Requester Role)

1. The Requester navigates to a device and selects a protected action (e.g., Device Wipe).
2. A dialog box appears, showing the MAA requirement.
3. The Requester enters a mandatory Business justification for the device action.
4. The Requester clicks Submit for approval.

The device action is halted. The request is visible in the My requests tab with the status Needs approval.

Reviewing and Approving the Action (Approver Role)

1. The Approver signs in and navigates to Tenant administration > Multi Admin Approval > Received requests.
2. They review the device, the action type, and the Requester’s justification.
3. They add Approver notes (e.g., “Verified user termination date, proceeding with device retire.”).
4. They click Approve request.

The request status changes to Approved.

Finalizing and Executing the Action (Requester Role)

1. The Requester returns to My requests.
2. The request status is Approved. Click the request.
3. Click Complete.

Intune executes the device action. The complete workflow is recorded in the audit logs.

Conclusion:

By implementing Multiple Administrator Approval, you establish a true governance framework that secures your environment against human error and malicious intent. Every critical device action is now backed by an auditable workflow that confirms who requested it and who provided oversight. This is a non-negotiable step toward modern, compliant security.