CJIs there any way to achieve something similar to Google's “Require admin approval for device access" with Azure AD/Entra ID?
MAM policies are scoped to user groups but beyond that there's no approval process.
Paul Sanders 😎@crh @merill @JefTek @nathanmcnulty
Not that I in is off out of the box. However, you could do something using conditional access / device filters with potentially autopilot and powerapps.
I’m making this up while I go btw… so will have a play later …
So I’m thinking you have a device filter is set based on group membership - which is set using autopilot.
Then have a CA that blocks access to devices that don’t have the relevant filters.
There has to be a better way 😂
Merill Fernando 
@paulsanders @crh @JefTek @nathanmcnulty Paul is right. I don't think there is an ootb feature that is comparable.
Nathan McNulty@merill @paulsanders @crh @JefTek It looks like they are doing MDM enrollment, and if that's an option, we can use device enrollment restrictions with an access package
https://blog.nathanmcnulty.com/intune-using-access-packages-to-enable-user-device-enrollment/
There's no built in feature, but the user enrollment would fail, and then we could automate a process of email/Teams message them to request access on myaccess.microsoft.com which could have an approval workflow and allow them access
Intune - Using Access Packages to Enable User Device Enrollment
Many organizations use device compliance with Conditional Access to provide protection against MFA capable phishing attacks such as Modlishka, evilginx2, or @mrd0x's browser in the browser attack. This protection works well because Conditional Access uses certificate based authentication with the device and pulls compliance data from Intune, and the attacker
@nathanmcnulty @merill @paulsanders @JefTek Ah yes, I remember reading this now. Great idea to handle this. I’m primarily interested in MAM enrollment but that can be limited to groups so this approach could still work.
@crh @merill @paulsanders @JefTek I think you'll have to read that out of Sign-in logs for failures in that case
I know we can trigger this from Azure Monitor or use a Logic App, but it feels like there should be a way to do an event subscription for a more performant experience for the end user. I just can't find it now :(
@nathanmcnulty @merill @paulsanders @JefTek I’m not worried about alerting the user on failure that they need to request access. We’ll communicate directly to users (contracted staff) that need to do this and if they don’t… should’ve read the email!