Your Intune Automation Scripts Gatekeeper — Meet MAA for Graph API
Welcome back folks! I got a treat for you today! So, you built the PowerShell script. You tested it. You scheduled it. You trusted it. And then Microsoft quietly handed it a clipboard and said: "Not so fast — someone needs to sign off on that."
Welcome to Multi Admin Approval (MAA) expanding to Graph API automation in Intune. If your tenant has MAA access policies configured and you're running service principals, scripts, or third-party tools that write into Intune through Graph, your automation is now subject to the same approval workflow as a human clicking around in the admin center.
Yes, really.
What MAA Actually Is (Quick Recap)
Multi Admin Approval is Intune's four-eyes control for sensitive administrative actions. When a protected resource gets a change request, Intune doesn't apply it immediately — it stages it, locks the object, and waits for a second admin to approve or reject it before the original requestor can click Complete and make it stick.
The MAA workflow has three distinct roles: the requester who submits the change, the approver who reviews and signs off, and the same requester who comes back to complete the action after approval. Critically, the admin who submitted the request cannot approve their own request. Microsoft Learn
Before this change, MAA mostly applied to humans in the admin center. Now MAA enforces approval workflows on application-authenticated (app-auth) API calls made through the Microsoft Graph API — so if your org uses service principals, automation scripts, or third-party applications to manage Intune resources, those calls get intercepted by MAA when the target resource is protected by an access policy. Microsoft Learn
What Gets Caught
MAA only applies to operations that modify protected resources — POST, PATCH, PUT, DELETE. Read-only GET operations aren't affected. So your reporting scripts and audit queries are fine. Your app deployment scripts, policy assignments, wipe automations? Those are squarely in scope if MAA access policies protect those workloads. Microsoft Learn
The protected resource types MAA can cover include apps, scripts, device actions, and roles. If your access policies wrap any of those, your automation is in the conversation now. Microsoft Learn
The Error That Tells You MAA Caught Your Script
You won't get a friendly pop-up. The error you want to look for is: Header 'x-msft-approval-justification' is required to request approval. If you're seeing that in your logs, MAA intercepted the call and your change is now sitting in a queue waiting for a human. Patch My PC
This is what happened to multiple organizations when the enforcement first rolled out — automation flows using application-based authentication, such as service principals and app registrations, began failing unexpectedly because MAA was applied to app-based automation flows where it previously hadn't been enforced. Patch My PC
Two Ways to Handle It
Microsoft gives you two paths, and neither one is "ignore it and hope":
Path 1: Update your scripts to play along. Include a justification header with your requests so MAA knows the automation is intentionally submitting a change that needs approval. Your script becomes MAA-aware — it submits with a justification, and then a human still approves it. Not ideal for fully unattended automation, but it's the "right" answer security-wise. Microsoft Learn
Path 2: Exclude the application from MAA enforcement. If your script uses app-only tokens (client-credentials flow), you can exclude the specific application from the access policy. This is meant as a temporary workaround when a code change isn't immediately feasible — not a permanent "get out of jail free" card. Use this for trusted, well-audited automation while you build Path 1. Microsoft Learn
The Bigger Picture: Why MAA Exists
If you're wondering why Microsoft is pushing this hard, the Stryker incident earlier this year is your answer. Attackers compromised an Intune admin account and used it to trigger a large-scale device wipe — some reports put the number at around 80,000 wiped devices. With MAA enabled for device actions, a wipe request doesn't run automatically just because one admin account requested it. Patch My PC
One compromised credential shouldn't be the difference between a bad day and a catastrophic one. MAA is the guardrail.
What to Do Right Now
Check if MAA is enabled in your tenant. Go to Tenant administration > Multi Admin Approval > Access policies in the Intune admin center. If there are active access policies listed, MAA is enabled for those workloads. Microsoft Learn
Audit your automation. Review every service principal, script, and third-party tool that writes into Intune via Graph. Map each one against the protected resource types. Anything that touches apps, scripts, device actions, or roles is potentially affected.
Build your notification story. Intune does not send automatic notifications when a new approval request is created or when a request changes status — approvers need to actively check the portal, or you need to build your own notification mechanism. A recommended approach is using Azure Logic Apps or Power Automate to monitor the Intune audit logs and trigger a Teams message or email whenever a new request appears. Without this, urgent requests sit unnoticed in the queue. Recast Software
Don't lock yourself out. Be cautious when creating an access policy for the Role policy type — this protects all role-related changes, including creating, updating, and deleting RBAC roles and role assignments. Once active, any attempt to modify roles needs MAA approval first, which can create a deadlock where you can't configure the RBAC assignments MAA itself requires. Roll out MAA for device actions and scripts first. Get RBAC last, after everything else is stable. Microsoft Learn
My Take
MAA is one of those features that feels like friction right up until the moment it saves your tenant. The Graph API expansion is the right move — the idea that automation scripts were somehow exempt from four-eyes controls while human admins weren't was always a gap. But "right move" doesn't mean "zero prep work required." If your scripts are breaking with the x-msft-approval-justification error, now you know what's happening and what to do about it.
Further reading:

