Multi-Admin Approval Intune

In the wake of the recent cyberattack on Stryker, many organizations are taking a closer look at their administrative controls—particularly within Microsoft Intune. One of the primary impacts of the attack involved a large‑scale device wipe carried out through Intune using a compromised administrative account. As a result, multi-admin approval has gained increased attention as a potential safeguard against similar incidents.

In this post, I’ll walk through how to enable multi-admin approval in Intune and share some observations, including some current limitations and challenges you should be aware of before enabling this feature in your organization.

What Is Multi-Admin Approval?

Multi-admin approval is a security feature in Microsoft Intune that requires certain high‑impact administrative actions to be approved by another administrator before they are executed. These actions can include deleting or wiping devices, deploying scripts or applications, and other changes that could potentially disrupt operations.

While multi-admin approval can introduce additional friction into day‑to‑day administration—as many security controls do—it provides an important safeguard. By requiring a second set of eyes, it significantly reduces the risk of widespread damage if a single admin account is compromised, helping prevent scenarios such as mass device wipes or other large‑scale malicious actions.

Current Limitations and Considerations

While multi-admin approval is a strong security control, there are a few current limitations worth noting before enabling it broadly.

Custom RBAC and Device Deletion

One limitation I’ve observed relates to custom Intune RBAC roles. When using custom roles, the Delete device action does not always appear as an approval request within multi-admin approval. Other actions—such as device wipe—do appear and function as expected.

I currently have an open support case with Microsoft regarding this behavior and will update this post once I receive confirmation or guidance. Based on community feedback, this does not appear to be an isolated issue, as others have reported similar behavior. At the moment, the only reliable workaround is to have a user with the Intune Administrator role approve delete requests.

Approval Required for Every Action

Another limitation is that multi-admin approval currently requires approval for every individual high‑impact action, such as each device wipe or delete. There is no option to scope approvals only to bulk or mass actions.

From an operational standpoint, it would be highly beneficial to have more granular control—for example, requiring approval only when performing mass device wipes or deletions, while allowing single‑device actions to proceed without approval. As it stands today, while this approach maximizes security, it can also introduce administrative overhead, particularly in environments where device wipes or deletions are routine tasks.

Create a Multi Admin Approval Access Policy

From the Intune Admin Center

1. Navigate to Tenant administration

2. Select Multi-admin approval

3. Choose Access policies

4. Click Create

Configure the Policy

1. Choose the Name, Description, and Policy type

2. Next

Assign Approvers

Next, add an approver group. Members of this group will be able to approve multi-admin requests for this specific policy.

1. Select Add groups and choose the appropriate group

2. Click Next

Submit for Approval

By default, all newly created access policies—or changes to existing ones—must be approved by another user with the appropriate permissions.

1. Enter a Business justification

2. Click Submit for approval

Approving a multi-admin request

As another user with appropriate permissions, go to Multi-Admin approval and approve the request. Additionally, this can also be done via the Admin Tasks tab.

1. Select the pending request

2. Enter Approver notes

3. Click Approve request

Once approved, the request returns to the original requester for completion.

Completing the Request

As the original requester:

1. Select the approved request

2. Click Complete request

The access policy is now implemented.

What This Looks Like in Practice

Once the policy is active, actions such as device wipes will follow this workflow:

1. Admin 1 initiates a device wipe

2. Admin 2 approves the request via Multi-Admin approval or Admin Tasks

3. Admin 1 completes the request via Multi-Admin approval or Admin Tasks

4. The device wipe is initiated

This same approval flow applies to other actions protected by multi-admin approval.