Forum Discussion

BR123-AUS's avatar
BR123-AUS
Copper Contributor
Jul 10, 2023

Managing application approval workflow on Intune

Hi,

 

We currently deploy applications on laptops using Intune via attaching a packaged application to an Azure AD group. 

 

We would like to include a management approval for the application deployment, and as a result once management approval has been added, the user will be added to the Azure AD group, which will trigger the application to be deployed.

 

Would you have any suggestions for how this can be implemented?

 

Thanks and regards,

 

Barbara

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor
    Jul 10, 2023

    Hi BR123-AUS,

    You can do that using these steps:

    1. Create an Azure AD Group:
    - Sign in to the Azure portal (portal.azure.com).
    - Navigate to "Azure Active Directory" in the left-hand menu.
    - Select "Groups" and click on "New group."
    - Add the members who will have the right to approve or reject the application deployment requests.

    2. Set up Azure AD Dynamic Group:
    - In the Azure portal, navigate to "Azure Active Directory" > "Groups."
    - Click on the group created in step 1 or create a new group specifically for the dynamic membership. - Set up dynamic membership rules based on criteria such as user attributes, device properties, or group membership.

    3. Set up Approval Policy in Intune:
    - Open the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).
    - Navigate to "Tenant administration" > "Multi Admin Approval" > "Access policies."
    - Click on "Create" to start creating a new access policy.
    - Specify the details of the access policy, such as the name, description, and targeted group.

     

    5. Apply Conditional Access:

    a. Sign in to the Microsoft Endpoint Manager admin center (endpoint.microsoft.com).

    b. Navigate to "Endpoint security" and click on "Conditional access" in the left-hand menu.

    c. To create a new conditional access policy:
    - Click on "New policy."
    - Specify a name and description for the policy.
    - Under "Assignments," choose the users or groups that the policy will apply to. You can select the Azure AD dynamic group created in step 2.


    - Under "Cloud apps" select the relevant application for which you want to enforce the conditional access policy.


    - Review and save the policy.

    ***After applying the conditional access policy:
    - Users who are members of the Azure AD dynamic group will be subject to the policy when accessing the specified application.
    - If a user's application deployment request is approved and they are added to the dynamic group, they will be granted access to the application based on the policy settings.
    - If the user's request is rejected or they are removed from the dynamic group, the conditional access policy will prevent them from accessing the application.


    Use multiple administrative approvals in Intune - Microsoft Intune | Microsoft Learn

    Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily. It also closes the item. If the post was useful in other ways, please consider giving it Like.

    Kindest regards

    Leon Pavesic

  • BR123-AUS's avatar
    BR123-AUS
    Copper Contributor
    Jul 11, 2023
    Hi LeonPavesic,

    We just tested the above in our environment.

    Would it be possible for you to advise on the following:
    1. How do we manage packaged applications we have added (such as adding an application into InTune and packaged it). The example provided is for CloudApps only.
    2. How does the end user make the request?

    Thanks and regards,

    @BARB-123

Resources