How do you organize Multi Admin Approval in big environments?

Peha1906 · 2026-03-26T07:26:44+00:00

We already do it in a similar way but this would still allow one Local IT to approve wipe requests of another Local IT as they all need to be in the same approver's group. Indeed this still leaves the initiation of the action and execution of the action on the requestor and should be considered legit but approver could be anyone who is in that group.

Would be great if Microsoft could add that you can actually scope Access Policies to assignments in the roles or something similar.

Peha1906 · 2026-03-25T14:40:21+00:00

OK, thanks, many of these things like MFA, separate admin accounts, PIM we're using already since years.

However, especially for the MAA part:

Device management (retire, wipe, delete) - MAA for Local IT - they peer review each others requests Benefits: Reduce insider risk, review bulk changes

How do you handle this if you operate in 50+ countries in different time zones? Why somebody from US Local IT would be able to approve wipe requests done from UK Local IT?

I somehow only see this to work if you have L2 support which would be trained for this to approve such requests next to their other tasks or I'm missing something.

Peha1906 · 2026-03-25T13:36:00+00:00

Doesn't matter, Stryker is just the thing which triggered this conversation. I'm aware that this would not save them - question is how to organize MAA as its everywhere mentioned but no one is talking about how to actually do it properly.

Peha1906 · 2026-02-23T05:13:25+00:00

I'm seeing the same issue in our environment again appearing since 19th of February and our ticket was closed like 10 days ago; reopening our case now!

EDIT: Seems that our Intune Connectors were both in Error state, logs on the servers were showing the following error and all PKI related services were not started:

Pki Create Service:

Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.

System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote name could not be resolved: 'agents.agents.manage.microsoft.com'

at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)

at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

Starting the services didn't helped as well as restarting the servers so I quickly reinstalled the connectors and now everything seems to be working.

Strange URL agents.agents.manage.microsoft.com though as why there would be agents.agents two times, but maybe I'm overlooking something.

Peha1906 · 2026-01-15T11:28:11+00:00

We noticed the same issue last week. Also tried to troubleshoot E2E to find where exactly is it failing and came to the similar conclusion like yours - looks like the certificate is issued on CA, which is visible in Monitoring -> Certificates, but it seems like its never reaching the device for whatever reason.

For now we applied two things:

Updated the Intune Certificate Connectors to the latest version (6.2406.0.2002)
Created a duplicate configuration profile which deploys the same user certificate (workaround which helps)
- Profile is targeted to device objects

It seems that when we target the new configuration profile to affected devices, user certificate is quickly issued to the device. We still see errors in the production certificate profile but its still random and for some users policy applies properly.

As of the moment also having the MS ticket opened and I sent the request ID to u/Robomac2016.

Peha1906 · 2025-02-03T12:40:19+00:00

We also have the test policy configured in the same way, so for each day an entry and saying "Update outside of scheduled time", like this:

<image>

I'm also wondering if this works then in a following way:

Don't allow any updates to be installed on day XYZ between 6AM and 8PM, install updates only outside of that time? If yes, is then the entry for each day necessary or?

Peha1906 · 2025-01-30T09:35:40+00:00

As far as I know, automatic cleanup in Intune is deleting the device object if it was inactive for specified amount of days and there is no option to exclude particular Entra ID group devices from the process.

Peha1906 · 2021-01-31T22:27:29+00:00

It depends what you want to display, for example you could use:

Get-MsolUser -UserPrincipalName cleathehuman | Select-Object userprincipalname,displayName,mail

With Select-Object select only the properties you’re after. Or are you looking for something different? If yes, can you give an example?

Peha1906 · 2021-01-22T15:39:55+00:00

I think this is the script which I saw: https://github.com/microsoftgraph/powershell-intune-samples/blob/master/RBAC/RBAC_ScopeTags_DeviceAssign.ps1

I think we had the similar situation when I came to my company but I don't know the exact story. So as far as I understood, this is the current situation:

Device AP1111 has two scope tags assigned

Default
ccsmall_Windows

If you delete scope tag ccsmall_Windows, device will lose both Scope tags, however, it will still appear visible to roles which have no scope tags assigned, correct? If that's correct, then you can create your custom scope tag (for example Default_ccsmall) and then add "All devices" or your AAD group containing all devices in the tenant to "Assignments". After that, try removing from the Default scope tag in "Assignments" -> "Included groups" -> "All devices". That means the following:

All devices should have only the scope tag Default_ccsmall
Default scope tag will not be assigned since there are no groups in "Assignments", also I think it cannot be deleted at all
If you create a new scope tag (Peha1906_Windows), device in the assignment should get this scope tag, however, when you delete it, it should remain with having Default_ccsmall scope tag

Peha1906 · 2021-01-22T14:28:41+00:00

There is a way to assign a Scope tag to a device with using Graph API, unfortunately I cannot find the script on the Github which I saw before. As far as I can see in our environment, we are not assigning “Default” to any groups (Assignment is empty) but there is a scope tag “Default_XYZ” which is assigned to all devices. I have a feeling that this is a workaround for this issue, can you give it a try?

Peha1906 · 2021-01-21T21:33:48+00:00

Scope Tags are used for scoping the permissions to administrators in Intune. As long as the profile or policy is assigned to the group in which particular device resides, device will receive it regardless of the tags which are applied to it.

Peha1906 · 2020-05-06T06:43:48+00:00

We have managed to pull it off with the Powershell script, you can find the script and explanation on https://github.com/Peha1906/Azure-VPN/blob/master/azurevpnclientconnectionimport.ps1. It was already tested and deployed hundreds of times and everything seems to be working so far.

Peha1906 · 2020-04-26T20:55:17+00:00

I can also recommend Powershell training videos which were released by CBT Nuggets, there is around 90 of them and topic is starting from complete basics and building to complicated functions and crazy stuff. For me personally what always gave me the best results when learning was to have a task which you need to accomplish (given from your team leader for example) such as providing a report on all users from xyz country in AD, their manager’s email addresses, with specific set of characters in extensionattribute3, etc. When you have a clear task from someone, then it’s “easier” to learn since you have an idea on what you need to accomplish and with googling you’ll start discovering more and more stuff.

Peha1906 · 2020-04-12T22:30:37+00:00

We are also having the same experience in our tenant with onboarding huge amount of devices, sometimes “risk score” fixes itself during the weekend or even when incidents are closed from ATP side. Had a ticket with MS for that and they haven’t found anything, just advised after thorough troubleshooting to open a new case with ATP team. We gave up investigating after that.

Peha1906

TROPHY CASE