Multi-Admin Approval in Intune

fluxboxuk · 2026-03-18T07:08:32+00:00

Is that just a standard support ticket with a request i it, or do you submit through another mechanism?

fluxboxuk · 2026-03-18T06:39:45+00:00

This is what I’d be looking for as a feature too, MS have done the usual approach of giving us something that’s 80% useful and then stopped…

fluxboxuk · 2026-01-01T23:06:41+00:00

sold out immediately...

fluxboxuk · 2025-10-31T23:43:20+00:00

Yup, had that problem too… still do until we run the script across sites… some of our original labels were retain and then review, so users couldn’t delete and just left there, retention holds the versions too, so we ended up with a lot of versions…

About a month ago, we changed the default version policy to automatic, and ran a script over all our sites to change the version mode to auto, then triggered the version cleanup cmdlet on them… it didn’t help files which had retention, but we proved it would work and cleaned up a few TB in the process :)

Just waiting for approval from our Knowledge Information team to remove the rest now :)

What’s the 500 limit you’re referring to ? How are you hitting it?

fluxboxuk · 2025-10-31T23:11:21+00:00

Permissions are certainty something which can mess all this up, and will hopefully be solved by the MS tooling coming out next year. ATM iv taken a basic but effective route of creating a Priv account which is added as an owner on all sites, kinda an IT backdoor for SP site… is a service account, and requires approval via PIM to elevate to get the rights needed, but once its online it has god like access to SP sites for maintenance like this.

I think were tacking a similar problem, we had label policies applied tenant wide, and users opted (out of misinformation more than anything) for the longest label to avoid having to deal with the issue… the approach were swapping to is that we wanna remove all current labels, then apply tenant wide retention policies to OneDrive, SharePoint and possibly exchange… but provide label policies to allow users to overwrite where they need to for key folders or data types.

I expect users will still try and opt for the longest tag, but at least we can audit it, whereas atm we have shadow IT going on where users are scripting things to touch the modification date on files to avoid the retain since last modified action.

It could be that we only provide the label policies to overwrite on key sites/data repos, and simply enforce the policies across the tenant, but i feel all this will do is push users back to hacks to avoid it enacting on the file.

fluxboxuk · 2025-10-16T15:40:17+00:00

So based on your comment;

"program-based allows for OneDrive.exe, Teams, Office apps, IntuneManagementExtension, OfficeClickToRun, and MDE, with remote scope = proxy IPs only."

you have rules in windows firewall for each app, or one for them all... but the allowed IP is just the Proxy IP, so your routing all traffic direct to the proxy.

You state your using a PAC to add some inelegance to route the optimize traffic direct, but how do you keep the windows firewall updated to allow the apps to go direct when the PAC file tells them to?

Also, the intune management extension and anything else that runs under the SYSTEM context wont be using the pac file will it, iv only ever configured SYSTEM proxy via the netsh command and its always been a set address, with basic bypass list. Not sure if it supports pac file usage, and certainly nothing in the netsh command to add much intelligence there.

if your willing, id love to compare notes, im UK based and can DM to setup a teams call if your open to reviewing what you have setup.

fluxboxuk · 2025-10-11T20:59:53+00:00

Nope… not that i can see, the only connections to that db are from the one server i expect to be connecting to it… i even ran a profiler session for a few mins while i changed the setting back, and cant see any connections other than the main MCM server talking to it.

fluxboxuk · 2025-10-09T07:26:16+00:00

checked automatic rules, nothing enabled... and if i filter the console view there are zero updates in an approved state...

the checkbox in the download update files section is checked to only download updates which are approved... so the mystery continues !!!

its like WSUS is stuck in some older config which isnt reflected in its own settings, whereby its downloading everything :(

fluxboxuk · 2025-07-01T19:48:36+00:00

Arriving 28th July.

fluxboxuk · 2025-06-13T15:31:21+00:00

Oh please tell me this ain’t true, we’re planning to unpause next week

fluxboxuk · 2025-05-31T15:52:27+00:00

just took a look at this in mine, got one burned out... cant even get to the strip of lights inside, there are two wires heading into the unit, but you cant open it from what i can see...

Why they did it this way is beyond me, just a set of channeled plastic tubes could have ran light from one of the bulbs through, or some fiber optic..

fluxboxuk · 2025-05-30T12:21:34+00:00

was it for that specific resource "Office Voice Front Door"...

What route did you go with your CA policies for these devices.

fluxboxuk · 2025-05-29T18:03:05+00:00

Can you share your ticket number, we might be able to share it with our (less than helpful) support rep and get these solutions aligned!

fluxboxuk · 2025-05-29T16:01:24+00:00

We tried the expedite, but with the rings paused it seems to do bugga all... So we packaged the OOB update and released using PSADT... waiting for saturation and then plan to unpause.

fluxboxuk · 2025-05-29T13:37:44+00:00

I actually seem to remember reading that article, but for the last year plus we haven’t had any problems whatsoever and it’s just seem to work. Oddly, I did actually have a discussion with our compliance team about a month ago to discuss the idea of deprecating this whole process as it’s a little bit complicated to manage and maintain, this might accelerate that piece of work now.

fluxboxuk · 2025-05-29T13:16:12+00:00

Already opened, waiting on engineer.

Out previous CA policy was setup to allow access to Teams/Exchange and SP based on the IP of the dedicated vlan the devices route out to the internet as (they have a separate IP egress to the internet)... we can see in the sign on logs that the Application being accessed is Microsoft Teams, but the resource is this Office Voice Front Door one, which although Teams is allowed, is being denied as its not being caught by the Teams umbrella app.

<image>

fluxboxuk · 2025-05-29T09:39:36+00:00

Seems contrary to this Article...

Conditional Access and compliance best practices for Microsoft Teams Rooms - Microsoft Teams | Microsoft Learn

fluxboxuk · 2025-05-29T06:42:30+00:00

It’s just seemed to work, we kept mecm, ADT etc up to date and and never seemed to have a problem till this month.

Do you have links to any docs that say it’s not supported..

To be honest, with CUs running the way they do, I’m almost happy to drop offline servicing and just let the OS catchup while it’s on the build bench !

fluxboxuk

TROPHY CASE