All Blogs
It wasn’t about ransomware. It wasn’t about phishing. It was about a single setting most companies have never enabled: Multi-Admin Approval.
Here’s what every business using Microsoft 365 needs to know about Multi-Admin Approval and why we are pushing companies to enable it immediately.
What Is Microsoft Intune Multi-Admin Approval?
If you use Microsoft 365, there’s a good chance you’re using Microsoft Intune without even realizing it. Intune manages the devices, apps, and security policies across your organization. Your IT team uses it to push software updates, enforce security settings, and control what employees can access from their phones and laptops.
Multi-Admin Approval adds a critical safety check: it requires a second administrator to approve major changes before they take effect.
Here’s how it works. When one administrator tries to make a sensitive change like disabling your antivirus policies, modifying who can access company data, or changing device security requirements, that change doesn’t happen immediately. Instead, it goes into a pending state. A different administrator has to review and approve it before anything changes.
The types of changes that require approval:
It’s simple: one admin requests, a different admin approves. No single person can unilaterally change critical security settings that protect your entire company.
Microsoft’s documentation explains the technical details, but the concept is straightforward. Two people review important changes before they go live.
Why We Are Pushing This
We see hundreds of business breaches every month. We know which security controls prevent attacks and which ones don’t. When it comes to Multi-Admin Approval, the benefits are clear.
Compromised Admin Accounts Are Devastating
Hackers target administrator accounts because they unlock everything. If an attacker gets your admin credentials through phishing, credential stuffing, or any other method, they can control your entire technology environment.
With access to your Intune admin account, attackers can turn off your antivirus protection on every computer, push malicious software to all your devices, change security settings to let them in anywhere, and lock you out of your own systems.
Multi-Admin Approval stops this cold. The attacker would need to compromise two separate admin accounts and coordinate their timing perfectly. That’s exponentially harder than getting one set of credentials.
One compromised admin account leads to complete organizational takeover. Multi-Admin Approval prevents it.
Insider Threats Are More Common Than You Think
Not every threat comes from outside your company. Disgruntled employees with administrator access can do serious damage.
An employee planning to leave on bad terms. Someone who feels they were treated unfairly. A contractor whose engagement is ending poorly. If they have admin rights, they can disable security, delete data, or create vulnerabilities on their way out.
Multi-Admin Approval requires two people to coordinate malicious activity. That’s rare. Most insider threats are individuals acting alone, not conspiracies.
Even Good People Make Mistakes
It’s not always about malicious intent. Good administrators make configuration mistakes that affect hundreds of people.
One wrong checkbox disables security for your whole company. One mistyped setting blocks everyone from email. One accidental deployment wipes data from devices.
The second approval step catches these mistakes. Another person reviewing the change notices the error before it impacts your business.
We see businesses recover from attacks that should never have succeeded. A simple review process would have prevented the breach entirely.
What This Looks Like in Real Life
Let me walk you through three scenarios we see regularly.
The Phishing Attack
Your IT manager gets an email that looks exactly like it’s from Microsoft. The branding is perfect. The message seems urgent. There’s a link to verify account security.
He clicks it. He enters his admin credentials. Within minutes, attackers have full access to your Intune environment.
Without Multi-Admin Approval, those attackers immediately turn off endpoint protection, deploy ransomware to every managed device, and encrypt your company by lunchtime. You show up to work the next day, and nothing works.
With Multi-Admin Approval enabled, the attackers try to disable your security settings, but the change sits in pending status. It needs approval from a second admin they don’t control. Your IT team sees the suspicious pending request during their morning review. They stop the attack before any damage happens.
The Angry Employee
An administrator is being let go. He knows it’s coming. On his last day, he decides to cause problems by modifying your device policies to disable security controls and create vulnerabilities.
Without Multi-Admin Approval, his changes go live immediately. You discover the damage after he’s gone and your systems start failing.
With Multi-Admin Approval, his malicious changes require someone else’s approval. The pending requests get flagged. You investigate before he leaves. No damage occurs.
The Honest Mistake
Your administrator is updating a security policy for a test group. He accidentally selects “All Users” instead of “Test Group.” It’s an easy mistake to make.
Without Multi-Admin Approval, that change deploys to 500 employees at 9 AM Monday. Half your company loses access to critical systems. IT scrambles to figure out what broke and how to fix it.
With Multi-Admin Approval, a second administrator reviews the change and notices it affects everyone instead of just the test group. She rejects it and asks for clarification. The mistake gets caught before anyone is impacted.
Multi-Admin Approval prevents all three scenarios.
How to Turn This On
Enabling Multi-Admin Approval is straightforward if you have Microsoft Intune, which comes with most Microsoft 365 business plans.
You need at least two people with administrator permissions in your environment. One to request changes, another to approve them.
The high-level process:
Sign into the Microsoft Intune admin center. Go to your tenant administration settings. Find the Multi-Admin Approval option and enable it. Choose which types of changes require approval. Assign the approver role to your second administrator.
Important things to know:
Don’t make the same person both the requester and approver. That defeats the entire purpose. Document your approval process so everyone knows who approves what. Train your administrators on the new workflow before you enable it. Check pending approvals regularly so legitimate changes don’t get stuck waiting.
Small companies with two IT people can alternate roles. One person requests changes this week, approves them next week. Larger organizations might have dedicated approval groups.
The key is that no single person can make critical security changes alone. Two sets of eyes review everything important.
Microsoft’s security guidelines recommend Multi-Admin Approval for any organization using Intune. We agree.
Need help setting this up?
At Midnight Blue, we configure Multi-Admin Approval for businesses regularly. We make sure it works correctly without slowing down your legitimate IT work.
This Is Just One Layer
Multi-Admin Approval is important, but it’s not the only security control you need.
Other critical protections include requiring multi-factor authentication on every account so stolen passwords aren’t enough to break in. Training employees to recognize phishing so they don’t click malicious links in the first place. Setting up conditional access policies that block risky login attempts. Monitoring your environment for suspicious activity. Having an incident response plan ready before attacks happen.
One security setting doesn’t make you bulletproof. But each control you implement makes attacks harder. Multi-Admin Approval is a simple one with significant impact.
Stack enough controls and attackers move to easier targets. That’s the goal.
Turn It On Today
Multi-Admin Approval is simple to enable. It takes maybe 30 minutes to configure. But the protection it provides is substantial.
If your business uses Microsoft Intune, turn this on. Today. Not next week. Not when you have time. Today.
Not sure if you have Intune? Not sure if Multi-Admin Approval is already enabled? Don’t know how to set it up correctly?
Let’s talk. We help businesses secure their Microsoft 365 environments every day.
We’ll check your current configuration, enable Multi-Admin Approval if it’s not already on, and show you what other security controls you should implement.
Schedule a complimentary Microsoft 365 security assessment. We’ll review your Intune setup, identify gaps like Multi-Admin Approval, and show you exactly what needs to change to protect your business.
At Midnight Blue, we’ve been protecting businesses for years. Let’s make sure yours is protected too.