If you manage Microsoft Intune with automation scripts, Azure Automation runbooks, or third-party tools, you need to pay close attention to the latest update rolling out the week of June 22, 2026.

Microsoft has announced that Multi Admin Approval (MAA) now enforces approval workflows on application-authenticated (app-auth) API calls made through the Microsoft Graph API.

Here is a technical breakdown of what this means for enterprise IT, why it matters, and the immediate steps you should take.

The Change

Previously, Intune’s Multi Admin Approval feature was only enforced on interactive (delegated) administrator actions. This meant that if an admin went into the portal to wipe a device or change a script, it required a second admin’s approval. However, if an automated script or a service principal executed the exact same action via the Graph API using an app-only token, the action sailed right through without approval.

This is no longer the case. Automated and scripted calls that use app-only tokens will now be intercepted by MAA when the target resource (like apps, scripts, or device actions) is protected by an access policy.

If your automation attempts to modify a protected workload without the appropriate approval headers, the API will return an HTTP 403 Forbidden error.

Real-World Implications

This change enforces the “four-eyes principle” across both the UI and API, closing a significant security loophole. However, it will break existing automations if they are not updated.

  1. Broken Runbooks: Any custom PowerShell scripts or Power Automate flows that modify protected Intune resources using a Service Principal will fail immediately if an MAA policy is active.
  2. Third-Party Disruption: Tools that leverage enterprise applications to manage Intune (such as patch management or provisioning tools) are now subject to these blocks unless they are specifically excluded.
  3. Improved Security Posture: A compromised service principal with broad permissions (e.g., DeviceManagementManagedDevices.ReadWrite.All) can no longer initiate mass device wipes or deploy malicious scripts without an interactive human approval step.

Immediate Actions for Intune Admins

To ensure your automations continue running smoothly while maintaining security, take these steps:

1. Identify Protected Workloads

Navigate to Tenant administration > Multi Admin Approval > Access Policies in the Intune admin center. Check which profile types (Apps, Scripts, Device Actions) are currently protected by MAA and compare this against your automated workflows.

2. Update Automation Scripts

If you maintain custom scripts, you must update your API requests to handle the new MAA workflow:

  • Include the x-msft-approval-justification header with a Base64-encoded business justification.
  • Wait for an admin to interactively approve the request in the Intune portal (applications cannot approve their own requests).
  • Resubmit the original request using the x-msft-approval-code header.

3. Configure Enterprise Application Exclusions

If updating the code isn’t feasible immediately—for example, if you rely on a third-party vendor tool—you can use the new Exclusions tab within the MAA access policy wizard. This allows you to exempt specific enterprise applications or service principals from MAA enforcement so their workflows do not break.

4. Harden Your Service Principals

For any applications you choose to exclude from MAA, it is critical to treat them as highly privileged entities. Lock them down using Conditional Access for workload identities, restrict the use of client secrets in favor of certificate-based authentication, and continuously audit their usage.

By proactively adapting to this change, you can significantly enhance your tenant’s security without bringing your essential operational automations to a halt.