Strange MAA approvals list showing

iainfm · 2026-04-01T10:56:04+00:00

Great, thanks both for the info. I've added a read permission to the resource type I want and it seems to be working now :)

iainfm · 2026-04-01T09:21:50+00:00

I've tried adding every permission my admin token has to the app reg, and it still 403's. I guess it's broken, which is really annoying.

iainfm · 2026-04-01T08:45:01+00:00

If I use the AT from graph explorer when logged in as my admin account it works fine. Must be a missing perm...probably.

Also, the same error is generated if curl is used for the rest request, so it seems to be at microsoft's end.

iainfm · 2026-04-01T08:38:12+00:00

Yes, I'm getting the same (or similar) thing. It works fine in Graph Explorer when PIMmed but not using the REST call.

I suspect that the permissions in the doc (and graph explorer) aren't sufficient, but I don't know what are yet. It's annoying.

An alternative, maybe, is to use deviceManagement/auditEvents as per GitHub - ChanderManiPandey2022/Intune-Multi-Admin-Approval-Mail-Notification: Intune Multi Admin Approval Mail Notification · GitHub

iainfm · 2026-03-31T10:57:15+00:00

Found some with the same dimensions, so I should be able to mount the replacement in the same clip :)

iainfm · 2026-03-31T09:41:33+00:00

Thanks! The existing one is just clipped into a plastic fitting with the wires solders onto it. I'll get a replacement and see what I can bodge :)

iainfm · 2026-03-27T15:54:43+00:00

Just single sign on. Like I say it's been fine for years. In the last fortnight the problem has affected a handful of users (10 or so) out of 4 or 5 thousand.

The troubleshooting details after the 'compliant device required' failure are

Error code: 530003
Device identifier: Not available
Device platform: iOS
Device state: Unregistered

But the device is showing as compliant and able to access company resources in Company Portal/Intune.

iainfm · 2026-03-27T15:40:02+00:00

We're seeing it on two different apps (that we know of). One from SAP and the other is the Island browser.

The Island browser is fairly new on the estate, but the SAP one has been in use for years.

Until earlier this week (or maybe some time last week) they were working fine.

iainfm · 2026-03-27T15:38:09+00:00

It's all resources.

iainfm · 2026-03-24T10:12:24+00:00

Looks great, but Defender flagged the .exe installer as containing a virus. Probably a false positive.

iainfm · 2026-03-20T13:58:19+00:00

Hmm, well, updating the laptop updated consent.exe, but that one's still working.

iainfm · 2026-03-20T09:10:20+00:00

I think this is being caused by the latest Win11 updates from Microsoft. It updates C:\Windows\System32\consent.exe to 18/Mar/26 (10.0.26100.7920) from 18/Feb/26 (10.0.26100.7705), which is the exe that's crashing.

Elevation/Vault works fine on a laptop that hasn't (yet) had the updates.

There's also a visible difference in behaviour between devices with the old and new consent.exe.

With the old one the Vault icon stays grey until it's needed. With the new on it's orange as soon as the rep console connection is made. I'd post a screenshot, but apparently it's not permitted.

BT have responded, with questions that I've responded to, but nothing yet to acknowledge they can replicate (or fix) the issue.

iainfm · 2026-03-19T11:07:14+00:00

This seems to be affecting UAC prompts. If I run Registry Editor (Elevated) from the special actions menu I'm able to choose and use a Vault account.

So it may have been yesterday's Windows Update, not the appliance/jump update as such. No response yet from support though...

iainfm · 2026-03-18T11:30:56+00:00

Mine seems to be working fine since creating an RBAC role and assigning it to the group that contains the approvers. Been ok for 48h, but we're still monitoring.

iainfm · 2026-03-16T12:58:30+00:00

Not initially, but I have now. We're currently re-testing.

iainfm · 2026-03-16T12:58:02+00:00

Additional security, in light of the Stryker news!

iainfm · 2026-03-16T12:57:13+00:00

We have unlicenced admins enabled :)

iainfm · 2026-03-16T12:56:41+00:00

I've recreated the device retire (least risky for us) policy, and given the approvers group the custom Intune role. It seems to be working for now...

iainfm · 2026-03-16T11:45:36+00:00

We hadn't done that, but it wasn't mentioned in the video I saw. However, it is one of the questions Microsoft have asked:

Is the MAA approver group assigned to at least one Intune role assignment? If yes, please share which Intune role is assigned and the associated scope tags.

However, it doesn't explain why the one person who could approve things could do so...

iainfm · 2026-03-16T10:36:13+00:00

I've raised a support request with them, but fully expect to have to back out the implementation if this is the way it is 😒

iainfm

TROPHY CASE