Strengthen Device Management with Intune’s Multi-Admin Approval for Delete, Retire, and Wipe Actions
Managing endpoints at scale means balancing agility with governance. Microsoft Intune’s new Multi-Admin Approval (MAA) feature adds an extra layer of control by requiring a second administrator’s sign-off before executing sensitive device actions. Available in Service Release 2508 and later, MAA now covers three powerful device lifecycle operations: Delete, Retire, and Wipe. Here’s how to set it up and why it matters.
Why Multi-Admin Approval Matters
When you delete, retire, or wipe a device in Intune, you’re making irreversible changes:
-
Device delete removes the device record from Intune and Azure AD, erasing its history.
-
Device retire uninstalls company apps and data without touching personal files.
-
Device wipe factory-resets the device, erasing all data.
Without oversight, a single misclick—or worse, malicious intent—could disrupt operations, expose data, or trigger accidental data loss. MAA introduces a pending-approval state. An approving admin reviews and signs off before the action proceeds. This clear audit trail boosts security, compliance, and accountability.
How to Configure MAA for Device Actions
1. Create an Access Policy
-
Sign in to the Microsoft Intune admin center.
-
Navigate to Tenant administration → Multi Admin Approval → Access policies.
-
Click Create.
-
In Basics, name your policy (e.g., “Device Delete – Access Policy”) and add a description.
-
Under Policy type, select Device delete (repeat these steps later for Device retire and Device wipe).
-
Choose applicable platforms (e.g., Windows, macOS).
-
Click Next.
2. Define Approver Groups
-
In the Approvers step, click + Add groups.
-
Select—or create—a security group (e.g., MAA Approvers). Members of this group review and approve requests.
-
Finish the wizard and click Submit.
3. Review and Activate
-
Go to Access policies to confirm your new policy appears in the list.
-
Test by attempting to delete a device. The action should show Pending approval.
Processing Approval Requests
-
When an admin triggers a protected action, it lands in Tenant administration → Multi Admin Approval → All requests.
-
An approver opens the request, reviews details, adds notes if needed, and clicks Approve or Deny.
-
Approved actions move to My requests, where the requesting admin can track and complete the operation.
Comparing the Three Actions
| Action Type | Effect | Use Case | Risk Without Approval |
|---|---|---|---|
| Device Delete | Removes record from Intune and Entra ID | Decommissioning old hardware | Lost audit history; accidental removals |
| Device Retire | Clears corporate apps/data only | Employee exits or BYOD transitions | Unauthorized data exposure |
| Device Wipe | Factory reset, erasing all data | Lost/stolen devices; repurposing hardware | Unrecoverable data loss; business downtime |
Best Practices
-
Start Small: Pilot MAA with one action type before rolling out to all three.
-
Define Clear Roles: Limit approver group membership to senior IT staff.
-
Document Justifications: Require admins to supply business reasons when submitting requests.
-
Monitor Logs: Regularly review audit logs for denied or failed approvals.
-
Communicate Changes: Inform your IT team about new approval workflows to avoid confusion.
Governance-Ready Endpoint Management
By enforcing dual-approval on device delete, retire, and wipe actions, Intune’s Multi-Admin Approval ensures your organization prevents mistakes and strengthens compliance. You maintain fast device lifecycle operations without sacrificing visibility or control—turning Intune into a governance-ready platform for modern IT.
