Why is Patch Connect Plus not impacted by MAA?

Why is Patch Connect Plus not impacted by MAA?

The Microsoft Intune Multi Admin Approval (MAA) feature adds an extra layer of security by requiring administrative approval for certain changes made to applications and scripts before they are applied.
This feature does not affect the functionality of Patch Connect Plus. The product continues to create and manage applications in Intune without any interruptions, and no additional configuration is required when MAA is enabled.
MAA is applicable only to actions performed using the delegated credential flow. These typically include:
  • Changes made interactively through the Intune Admin Center
  • Operations performed via Microsoft Graph using delegated permissions
In such cases, actions like modifying or removing assignments for a Win32 application may require approval if MAA policies are enforced.
In contrast, Patch Connect Plus operates using the application credential flow. This approach:
  • Uses application-level permissions instead of user-based authentication
  • Bypasses MAA approval requirements
  • Ensures uninterrupted creation and modification of applications in Intune
Hence, Patch Connect Plus workflows are not subject to MAA policies.

Update:
Earlier on March 26, Microsoft introduced a service-side change that caused Multi Admin Approval (MAA) to unexpectedly block automation flows in Patch Connect Plus. This resulted in failures for scenarios using application-based authentication, such as service principals and app registrations. Microsoft has since implemented a fix, and the issue should now be resolved. Automation workflows that were previously impacted should resume normal operation without requiring any changes. This issue was caused by a change in how MAA was enforced. MAA is intended to apply only to delegated authentication flows and actions performed interactively in the Intune admin center. During this incident, MAA was also applied to application-based automation workflows, causing previously functional automation scenarios to fail unexpectedly.

Following the Microsoft service-side fix released after the March 26 incident, many affected tenants resumed normal operation. However, some tenants continue to experience issues where MAA is incorrectly being applied to application-based automation workflows. If your tenant is still impacted, we recommend raising a case with Microsoft Support so Microsoft can investigate and apply any remaining service-side remediation. As a temporary workaround, some customers have removed the App Access Policy from Multi-Admin Approval to restore automation functionality. Since this reduces MAA governance protections for application access, it should be evaluated carefully and re-enabled once Microsoft confirms the issue is fully resolved. This behavior is controlled by the Microsoft service, and permanent resolution depends on further Microsoft updates.

Cheers,
The ManageEngine Team



            New to M365 Manager Plus?
            New to M365 Manager Plus?
              New to RecoveryManager Plus?
              New to RecoveryManager Plus?
                New to Exchange Reporter Plus?
                New to Exchange Reporter Plus?
                  New to SharePoint Manager Plus?
                  New to SharePoint Manager Plus?
                    See all integrations
                    New to ADManager Plus?
                    See all integrations
                    New to ADManager Plus?

                      New to ADSelfService Plus?

                      Start your free trial
                      Start your free trial
                          Related Products