Implement approval workflow for Intune deployments

All Intune admins can add applications that will deploy instantly to devices. This is simple, easy and fast. But sometimes it can be too fast! Now and then admins make mistakes (not me but others). So, what if the admin forgets a crucial setting or or the application detection is wrong. And as you know, anything that can go wrong will go wrong, and at the worst possible time! This is where Intune access policies comes to the rescue. You can now have a change management workflow access policies to require that a second administrative account to approve a change before the change is applied. This is config is shown as multi admin approval in Intune.


Creator of the access policy must be Intune Administrator

Build your first access policy

  1. Open Intune Portal
  2. Select Tenant Administration / Multi Admin Approval
  3. Select the Tab Access Policies, and select Create
  1. Enter a suitable name and description. and select if this policy will apply on Scripts or Apps, click Next
  1. Add a group of Approvals, and click Next
  1. Create the access policy by clicking Create

Change Management Workflow Result

Lets say an Application Admin wants to deploy the new Windows 365 app from the new Microsoft Store.

  1. The Application Admin selects to deploy a Microsoft Store app (new)
  1. The Application Admin search for and select the Windows 365 app in the Microsoft Store
  1. The Application Admin accept the default collected values from Microsoft Store
  1. The Application Admin is now presented with a new dialogbox to enter a Business Justification and then submit for approval.
  1. The Application Admin can then see his request in Tenant Administration / Multi Admin Approval / My Requests
  1. The Approval Admin then open the node Tenant Administration / Multi Admin Approval / My Requests
  1. The Approval Admin opens up the Recieved Request to review it
  2. The Approval Admin now see a Json with the changes requested. He must add an Approver Note and select to Approve or Reject the request
  1. The Application Admin can then see the result, if the request has been Approved or Rejected
  1. If The Application Admin decide to deploy an existing app (or an approved app) to a group, the same approval process will be required.


This is a really good new feature. Now we can have a good change management workflow to protect against accidental and intentional changes that could affect the business in a negative way.

There is only support for Apps and Script. I really would like to see all configurations and security settings also.

The JSON can sometimes be hard to interpret, would be nice with a more user-friendly presentation.

You cannot cleanup the list of requests. If you for example cancel a request, it will still remain in the list.

About The Author

Mr T-Bone

Torbjörn Tbone Granheden is a Solution Architect for Modern Workplace at Coligo AB. Most Valuable Professional (MVP) on Enterprise Mobility. Certified in most Microsoft technologies and over 23 years as Microsoft Certified Trainer (MCT)

You may also like...