At TeamMIS, we constantly review security incidents and identify ways to protect our clients. Recently, I’ve been strongly recommending a specific security setting for businesses using Microsoft Intune: Multi-Admin Approval.
It isn’t about ransomware or phishing. It’s about a single setting most companies have never enabled that stops attacks before they start.
Here’s what every business using Microsoft 365 needs to know about Multi-Admin Approval and why we’re pushing companies to enable it immediately.
What Is Microsoft Intune Multi-Admin Approval?
If you use Microsoft 365, you’re likely using Microsoft Intune without realizing it. Intune manages devices, apps, and security policies across your organization.
Multi-Admin Approval requires a second administrator to approve major changes before they take effect. When one admin tries to make a sensitive change, like disabling antivirus policies or modifying access controls, the change goes into pending status. A different administrator must review and approve it first.
Changes requiring approval include security policy modifications, compliance changes, device configuration updates, app protection changes, and access control modifications.
It’s simple: one admin requests, a different admin approves. No single person can unilaterally change critical security settings.
Why We Strongly Recommend This
We’ve seen business breaches regularly. We know which security controls prevent attacks and which ones don’t. Multi-Admin Approval addresses three critical vulnerabilities:
Compromised Admin Accounts
Hackers target administrator accounts because they unlock everything. With access to your Intune admin account, attackers can disable antivirus protection, push malicious software, and lock you out of your systems.
Multi-Admin Approval stops this. The attacker would need to compromise two separate admin accounts and coordinate perfectly. We see this pattern constantly; one compromised account leads to complete organizational takeover.
Insider Threats
Disgruntled employees with admin access can cause serious damage. Multi-Admin Approval requires two people to coordinate malicious activity, rare for insider threats acting alone.
Honest Mistakes
Good administrators make configuration mistakes affecting hundreds of people. One wrong checkbox disables security company-wide. The second approval step catches these errors before impact.
Real-World Scenarios
The Phishing Attack
Your IT manager receives a convincing Microsoft email and clicks a phishing link, surrendering admin credentials. Without Multi-Admin Approval, attackers immediately disable endpoint protection and deploy ransomware. With it enabled, the malicious change sits pending. Your team sees the suspicious request during morning review and stops the attack.
The Angry Employee
An administrator being let go tries to disable security controls on his last day. Without Multi-Admin Approval, changes go live immediately. With it, his malicious changes require approval. You investigate before he leaves. No damage occurs.
The Honest Mistake
An administrator accidentally selects “All Users” instead of “Test Group” when updating a security policy. Without Multi-Admin Approval, the change deploys to 500 employees, breaking access. With it, a second admin catches the error before anyone is impacted.
How to Enable Multi-Admin Approval
Enabling Multi-Admin Approval is straightforward. You need at least two administrators. One requests changes, another approves them.
Key steps: Sign into Microsoft Intune admin center, go to tenant administration settings, find Multi-Admin Approval, enable it, choose which changes require approval, and assign the approver role.
Important: Don’t make the same person both requester and approver. Document your approval process, train administrators on the workflow, and check pending approvals regularly.
Small companies can alternate roles. Larger organizations might have dedicated approval groups. The key is that no single person can make critical security changes alone.
This Is Just One Layer
Multi-Admin Approval is important but not your only security control. Require multi-factor authentication on every account, train employees to recognize phishing, set up conditional access policies, monitor your environment, and have an incident response plan ready.
One security setting doesn’t make you bulletproof. But each control makes attacks harder. Stack enough controls and attackers move to easier targets.
Turn It On Today
Multi-Admin Approval is simple to enable, about 30 minutes to configure, but the protection is substantial. If your business uses Microsoft Intune, turn this on today.
Not sure if you have Intune or if Multi-Admin Approval is already enabled? Let’s talk. We help businesses secure their Microsoft 365 environments every day.
Schedule a complimentary Microsoft 365 security assessment with TeamMIS.
We’ll review your Intune setup, identify gaps, and show you exactly what needs to change to protect your business.
