web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Automate / Send message to Teams ...
Power Automate
Suggested Answer

Send message to Teams channel when 'Multi Admin Approval' pending or waiting requests

(0) ShareShare
ReportReport
Posted on by CU31030738-0 6
Hi PA Community
 
Reaching out to the automate Gurus for some possible help.  Recently Microsoft launched the Multi Admin approval in Intune for functions like device wipe / retire / delete, however they did not create any kind of notification flow. 
 
I am trying to create a PA that sends a message to a Teams channel.  This command in Graph (https://graph.microsoft.com/beta/deviceManagement/operationApprovalRequests) returns the pending requests, so I was hoping to use this in a scheduled flow to 'get' these and send to Teams.  I've started building my flow and I am using an App reg with all the correct application permissions, but it keeps getting a 403 error.  Here is the start of my flow:  
 
However, it keeps failing at the HTTP part 
 
 
{
  "_version": 3,
  "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 775e9bc7******************** - Url: https://proxy.msub06.manage.microsoft.com/StatelessRoleAdministrationFEService/deviceManagement/operationApprovalRequests?api-version=5025-09-12",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
 
If anyone has any ideas, or has already come up with a solution for this, be really happy to hear.  Thanks in advance
 
 
Categories:
Power Automate Desktop
I have the same question (0)
  • RF-31031211-0 Profile Picture
    RF-31031211-0 6 on at
    I can confirm also face this same issue, seems application permision doesn't work for resources:
    https://graph.microsoft.com/beta/devicemanagement/administrativetasks
    and
    https://graph.microsoft.com/beta/deviceManagement/operationApprovalRequests

    Even all required API permisisons granted :(
  • Mahesh Birudu Profile Picture
    Mahesh Birudu 28 on at
    Hello 
     
    It appears this may be related to an authentication or permission issue.

    Could you please confirm whether the DeviceManagementConfiguration.Read.All permission has been applied and granted admin consent?

  • Sunil Kumar Pashikanti Profile Picture
    Sunil Kumar Pashikanti 1,681 Moderator on at
     
    This is a known limitation, not a permissions issue.
    The Graph endpoint deviceManagement/operationApprovalRequests does not support application‑only authentication, which is why Power Automate HTTP calls return 403 Forbidden, even with correct permissions and admin consent. The endpoint requires delegated admin context, so it works in Graph Explorer or PowerShell but not in Power Automate cloud flows.

    There is currently no supported way to automate Teams notifications for pending Multi‑Admin approvals using Power Automate alone.
     
    Comparison: Why it works in some places but not others
    Tool Authentication Type Result
    Graph Explorer Delegated (You sign in) Success
    PowerShell Delegated (Interactive login) Success
    Power Automate Application (App ID/Secret) 403 Forbidden
    Workaround
    While there is no "supported" way to do this with standard Power Automate actions, advanced users sometimes use a "Service Account" approach:
    They create a dedicated user (Service Account) with a Power Automate Per-User license.
    They use a Custom Connector that uses ROPC (Resource Owner Password Credentials) to "impersonate" that user.
    Warning: This is generally discouraged by security teams as it bypasses Multi-Factor Authentication (MFA) and is often blocked by Conditional Access policies.
     
     
    Ref:
     
     
    ✅ If this answer helped resolve your issue, please mark it as Accepted so it can help others with the same problem.
    👍 Feel free to Like the post if you found it useful.
  • RF-31031211-0 Profile Picture
    RF-31031211-0 6 on at
    Hi, seems it's working now for Power Automate Application (App ID/Secret), Azure LogicApp (Identity / Application (App ID/Secret).
    Tested for     https://graph.microsoft.com/beta/deviceManagement/operationApprovalRequests
  • Suggested answer
    ninihen Profile Picture
    ninihen 55 on at
    Tested and it worked in flow. On top of the app resgistraton scope, you need to add Intune RBAC role assignment to the service principle. 

    To assign, create a security group, add the SP as a member, then Intune admin center -> Tenant admin -> Roles -> create a custom role with:
    1. Multi Admin Approval: Read  
    2. Organization: Read
    Then assign to the security group.




  • CU31030738-0 Profile Picture
    CU31030738-0 6 on at
    Hi Ninihen
     
    Thanks for your reply and the information.  Sorry to sound like a complete novice, could you possibly provide a bit more information and detail?
     
    I have to use / create a service principal for this and give Delegated permissions instead of application permissions , would it be possible to expand on the flow a bit more please. I really do appreciate it, I'm still fairly new to the Automate world.
     
    Thanks in advance :-)
  • ninihen Profile Picture
    ninihen 55 on at
    My app registration is DeviceManagementRBAC.Read.All (Application) - you also need to grant admin consent.

    Intune RBAC role assignment is from https://intune.microsoft.com/.

    From your screenshot, you hardcoded the definition. Your syntax itself is not wrong (I used the same in my flow), but you need to enter them as expression.

    Like the Filter array action in your screenshot, the "from" property is correct (
    body('Parse_JSON')?['value']) as expression, but filter query property is hardcoded, not expression.

    This is mine:



    To enter as expression, click on the "fx" and type in the window. Then you should be fine.

     
  • CU31030738-0 Profile Picture
    CU31030738-0 6 on at
    Hi Ninihen
     
    Thanks for your help again, here is what I have learnt and where I am now stuck. The https://graph.microsoft.com/beta/deviceManagement/operationApprovalRequests only exposes events that are 'expired' or 'completed' and 'pending'. It seems to expose 'NeedaApprooval' actually requires a filter.    https://graph.microsoft.com/beta/deviceManagement/operationApprovalRequests?$filter=status eq 'needsApproval'  
     
    If I place this in the HTTP  it returns no output, but Graph does does see some events
    I managed to build the flow all the way to the Team post a message, but the message was empty as its not getting any data. It seems it can see '4' but just not 'Getting' them  
     
     
    Really appreciate any ideas, feel like I am getting there with your help :-)
  • ninihen Profile Picture
    ninihen 55 on at
    Hi @CU31030738-0, the response in your screenshot shows odata.count: 4, while the value is empty. 

    This seems to me the filter actually worked (4 requests need approval). And the value not showing may be related to the permission.

    Although your service principal is granted the DeviceManagementRBAC.Read.All permission, the service principal account still can only see the request that is relavant to it (either the service principal is the approver, or the requestor). 

    So theoritically, if you use an app permission, the service principal needs to be assigned an intune admin role that is listed as an approver in the Operation Approval policy in Intune admin center.
     
  • CU31030738-0 Profile Picture
    CU31030738-0 6 on at
    Thanks for replying on a Sunday. I have given the SP the Intune admin role and the Approvers RBAC in Intune , everything required, and still it will not out put with filter = needsapproval.
     
    Maybe it's just not meant to be. This would be so handy I'm sure for many people as having to check in the Intune Admin centre for waiting approvals is a pain.
     
    It's a great security layer by MS but they really did not think it through, there should be some kind of alerting for this. If you have any ideas or guidance I would gladly appreciate it. Might have to get in touch with MS also.
     
     

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
Your Invited to Keeping It Real with the Power Platform

Quick Links

Introducing the 2026 Season 1 community Super Users

Congratulations to our 2026 Super Users!

Kudos to our 2025 Community Spotlight Honorees

Congratulations to our 2025 community superstars!

Congratulations to the March Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Automate

#1
Haque Profile Picture

Haque 607

#2
Valantis Profile Picture

Valantis 456

#3
11manish Profile Picture

11manish 352

Last 30 days Overall leaderboard

Featured topics

Share your ideas and struggles with building Power Automate flows!
Survey: Power Automate mobile app
How to Ask for Help with Your Power Automate Workflow
Flows are not visible for users who sign in with their personal accounts
Start and wait for an approval action
Restore a deleted flow
List of actions cheat sheet for Power Automate Desktop
Question for everyone : How are you using Create Text GPT in AI Builder?
Welcome to the Power Automate forum!

Product updates

Microsoft Power Platform Community release plans