Forum Discussion

BR123-AUS's avatar
BR123-AUS
Copper Contributor
Jul 10, 2023

Managing application approval workflow on Intune

Hi,   We currently deploy applications on laptops using Intune via attaching a packaged application to an Azure AD group.    We would like to include a management approval for the application dep...
LeonPavesic's avatar
LeonPavesic
Silver Contributor
Jul 10, 2023

Hi BR123-AUS,

You can do that using these steps:

1. Create an Azure AD Group:
- Sign in to the Azure portal (portal.azure.com).
- Navigate to "Azure Active Directory" in the left-hand menu.
- Select "Groups" and click on "New group."
- Add the members who will have the right to approve or reject the application deployment requests.

2. Set up Azure AD Dynamic Group:
- In the Azure portal, navigate to "Azure Active Directory" > "Groups."
- Click on the group created in step 1 or create a new group specifically for the dynamic membership. - Set up dynamic membership rules based on criteria such as user attributes, device properties, or group membership.

3. Set up Approval Policy in Intune:
- Open the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).
- Navigate to "Tenant administration" > "Multi Admin Approval" > "Access policies."
- Click on "Create" to start creating a new access policy.
- Specify the details of the access policy, such as the name, description, and targeted group.

 

5. Apply Conditional Access:

a. Sign in to the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).

b. Navigate to "Endpoint security" and click on "Conditional access" in the left-hand menu.

c. To create a new conditional access policy:
- Click on "New policy."
- Specify a name and description for the policy.
- Under "Assignments," choose the users or groups that the policy will apply to. You can select the Azure AD dynamic group created in step 2.


- Under "Cloud apps" select the relevant application for which you want to enforce the conditional access policy.


- Review and save the policy.

***After applying the conditional access policy:
- Users who are members of the Azure AD dynamic group will be subject to the policy when accessing the specified application.
- If a user's application deployment request is approved and they are added to the dynamic group, they will be granted access to the application based on the policy settings.
- If the user's request is rejected or they are removed from the dynamic group, the conditional access policy will prevent them from accessing the application.


Use multiple administrative approvals in Intune - Microsoft Intune | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.

Kindest regards

Leon Pavesic

Resources