MEM Intune – app approval process with Power Automate

In this month’s post I focus on app approval processes when utilizing MEM Intune. Customers I work with are always interested how to streamline or integrate admin and end user processes. Software approval is no exception.

During the course of my career I’ve interacted with many customers who come up with processes to accomplish tasks such as software approval. IT processes may be manual or automated and they all utilize a variety of tools such as email, Excel files, online apps, and home grown solutions.

Microsoft Endpoint Manager (MEM) Configuration Manager (MEMCM) has software approval built-in via “Application Requests” orgs may leverage as shown in the image below.

However, if you’re utilizing Intune only or hosting Win32 apps in Intune (vs in MEMCM) and you’d like to maintain a software approval process for applications that only live in Intune, I’ll show you how to do this using SharePoint, Graph, and Power Automate.


Requirements

  • SharePoint Online
  • Power Automate
  • Intune
  • Microsoft Graph
  • Win32 apps uploaded to Intune

Let’s get started!

One thing to note is the app approval process outlined here may be utilized for any software, iOS, Android, macOS, and Windows. For this post, I chose to focus on Win32 apps because some Win32 apps require licenses and some organizations tightly control what software may be installed on devices so they may want granular control of app approval/installation.

SharePoint

Building an app catalog data model using a SharePoint list

First we need to create an application catalog. We can do this by creating a SharePoint list to store the apps we’ll query for using Graph in a later step. The list I created is shown below:

  • AppName – stores the name of the app
  • Win32AppID – stores the app ID pulled from Intune
  • appPackageType – type of app package – e.g. Win32
  • userGroupID – group assigned to the app

Note: you can name the columns anything you like.

Let’s take a moment to focus on the userGroupID as this has a special purpose. Apps may be assigned to multiple groups so the question is how do we know which group is the right group? There are multiple methods to go about accomplishing this, however I chose to create a special group in Azure AD dedicated to software requests. Details of the how this is accomplished with Power Automate are shown in a step below under Power Automate.


Creating a software approval SharePoint list

We’ll need a process to request software and I complete this in SharePoint as well by creating another list with the following attributes:

  • Win32 App Name – Lookup field from the App Catalog we created in the previous step.
  • AppName:Title – Lookup field from the App Catalog we created in the previous step.
  • AppName:Win32AppID – Lookup field from the App Catalog we created in the previous step.
  • AppName:appPackageType – Lookup field from the App Catalog we created in the previous step.
  • Win32 App Name:userGroupID – Lookup field from the App Catalog we created in the previous step.
  • Date needed by – custom column created in the list.

In the request form we only need two items, “Win32 App Name” and “Date needed by” since the other lookup items will be pulled over automatically when the form is saved:

After stepping through the request process, below is what a request will look like in SharePoint:

Power Automate

Importing the Intune app catalog

Once we have all of the columns created in the SharePoint list we need to populate the list with existing software and delta updates as new software is added.

In the Power Automate process below we can manually trigger or set a recurrence to run it on a regular basis.

  1. HTTP action uses Graph to pull all the apps from Intune.
  2. We then Parse the JSON, to get the Schema run the Graph query using Graph explorer then copy and paste the JSON output by selecting “Generate from sample” and pasting within.
  3. Then Filter the apps to only select the Win32 apps.
  4. Next add an action to create an Azure AD group for every Win32 app returned (I prepend my groups with AG- (AG=Auto Generated))
  5. Next we need to remove the first three letters in the app name because I don’t want users to see “AG-appname” as the “AG” is meaningless to them. We do this by using compose actions. The substring in the second compose action looks like the following: “substring(outputs(‘Compose’),3,sub(length(outputs(‘Compose’)),3))”
  6. In the final step of the Flow, I create SharePoint items for every Win32 app returned using the dynamic attributes available. Use the “Compose 2” output for the title of the app.

Note: if you’d like to add a recurrence and run the Flow periodically, you’ll need to add a step to check if the software exists already. This is can be done by adding a condition to check the app ID in Intune against app ID in the SharePoint app catalog.

When the Power Automate flow is run the custom SharePoint app catalog will be populated as shown below:

Creating the application approval process

Below is the full Power Automate process and it may look complex, however it’s quite simple. Here are the high-level steps:

  1. We start with a trigger when a SharePoint item is created in the app approval request list.
  2. Next we go on to start an approval process action and wait for a response.
  3. We then query Azure AD for the user using the information about the user collected in SharePoint (it’s the same AAD user).
  4. Next we query the group assigned to the Win32 app (this is the same group created during the app catalog generation process in the steps above).
  5. When a request is approved or declined there are two paths to go down:
    • For the “Yes” path we introduce a condition to check if the group is empty and if it is we proceed to add the user to the group and send the user a mail that their request has been approved (or message in Teams or whatever you want to do). For the “No” path, this tells us there are members in the group and we perform another conditional check to see if the user already exists in the group. If the user exists we send a mail stating so with instructions of what to do next. If the user does not exist in the Azure AD group, we add the user to the group and send the user an email stating their request has been approved.
    • For declined requests, we travel down the “No” path and simply send the user a mail with the comments of why their request wasn’t approved.

If you’re curious about the expression used to check if the Azure AD group is empty it is: empty(body(‘Get_group_members_2’)?[‘value’])

Win32 app approval process video walkthrough

The video below demonstrates an app approval process end-to-end:

https://uem4all.files.wordpress.com/2020/06/powerautomatew32appapproval-7.gif

Conclusion

That’s it, to conclude, we created an app catalog in SharePoint and using Power Automate, imported Win32 apps from Intune to the app catalog and created a unique Azure AD group for each app. Next we created a software request portal in SharePoint that references the app catalog. Finally we built out the Power Automate process for the software approval process.  If you’d like you can expand this app approval process across all platforms.