Approval-based workflows ensure that administrative privileges are verifiable and purpose-driven. This setup is crucial for any managed environment looking to minimize security and compliance risks at scale. In this guide, we’ll discuss some of the best methods for creating a managed workflow based on an approval process.
Methods for setting up approval-based workflows
Use the table to choose and quickly navigate to your preferred activation steps.
📌 Prerequisites:
- Microsoft 365 subscription with Power Automate and Azure AD (for cloud-based workflows)
- Endpoint visibility via PowerShell and registry
- NinjaOne or RMM platform with script execution capabilities
- Defined policy for when admin access is approved and for how long
👉 Note: Some steps may vary depending on system defaults or active settings.
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Microsoft Forms | ✓ | |
| Method 2: PowerShell script | ✓ |
💡 Tip: Check out the Things to look out for section for tips on managing potential risks.
Method 1: Use Microsoft Forms and Power Automate for access requests
This method uses minimal coding and is best for organizations already using Microsoft 365.
📌 Use case: Microsoft 365 subscribers
- Create a Microsoft Form titled “Admin Access Request” with the following fields:
- Requestor email
- Device name
- Reason for access
- Requested duration
- Next, build a Power Automate with these parameters:
- Trigger: Form submission
- Condition: Auto-approve based on user/group, or route to manager approval
- Action: Notify the IT team and trigger the script to elevate the user
- Final step: Schedule auto-revert or generate access expiration alert
You may store approvals in a SharePoint list or ticketing system for documentation.
How it works: In this setup, Microsoft Forms takes charge of data gathering. Power Automate then processes the data, takes conditional steps, and creates audit trails for troubleshooting and compliance.
Method 2: Elevate local rights using PowerShell and scheduled reversion
This method gives you fine-grained control while ensuring the removal of privileges happens automatically after the set duration.
📌 Use cases: Enterprise, automation
To grant admin access (e.g., temporary membership in Administrators group), use the following command: Add-LocalGroupMember -Group "Administrators" -Member "domain\jdoe".
⚠️Reminder: Replace the placeholder values “Administrators” with your preferred group label and “domain\jdoe” with your local domain and user name.
Meanwhile, to schedule access removal after one hour (example):
schtasks /create /tn "RemoveAdmin_jdoe" /tr "powershell -command
Remove-LocalGroupMember -Group 'Administrators' -Member 'domain\jdoe'" /sc
once /st 13:00
Then, to log access grants in a local file or registry key for audit:
New-ItemProperty -Path “HKLM:\SOFTWARE\Org\AdminAccess” -Name “jdoe”
-Value “$(Get-Date)” -PropertyType String -Force
When a request is approved, PowerShell can be used to grant and revoke local admin rights on demand.
How to audit and keep track of admin approvals
Use the registry for access status and audit trails
The registry key acts as a live record of who currently has admin rights.
📌 Use case: System-wide deployments, RMM distribution.
- Press Win + R, type regedit, and tap OK to open the Registry Editor.
- Navigate to or copy and paste the following path HKEY_LOCAL_MACHINE\SOFTWARE\Org\AdminAccess to the Registry address bar.
- You can check the String Values for auditing and tracking. Here’s an example of what to look out for:
- – jdoe_Approved (String) = “2025-07-01T11:00Z”
- – jdoe_Expires (String) = “2025-07-01T13:00Z”
- – jdoe_Device (String) = “CLIENT-PC001”
⚠️ Warning: Editing the registry can cause system issues. Create a registry backup before proceeding.
Validate and Revert Access via CMD and Log Analysis
Commands like net localgroup and schtasks, used with centralized log files, can allow you to maintain a searchable historical record of all admin rights activity.
- First, to check admins, run net localgroup administrators.
- Then use
schtasks /query /fo list | findstr /i "RemoveAdmin"to view scheduled tasks for removal. - You can also run a
reg query HKLM\SOFTWARE\Org\AdminAccessto verify changes that are live in the registry. - Then, finally, log events using:
echo %username% granted admin rights on %computername% at %date% %time% >> \\logserver\access_logs.txt
These scripts will give you an overview of admin memberships and scheduled removal jobs, without needing a script or RMM console.
Report and alert on admin access via RMM or scripts
A powerful RMM like NinjaOne has the tools to transform admin access control from a reactive task into a proactive defense.
Here are some common deployment strategies you can use for governing user access:
- Run scripts that detect local admin group changes
- Alert when a user is added outside an approved window
- Roll back unauthorized membership additions
- Sync registry keys into RMM for dashboard display
Furthermore, the dashboard can provide scheduled reports on who received access and when it was revoked, and mark any deviations from related policies.
⚠️ Things to look out for when setting up approval-based workflows
Below are common risks, their possible consequences, and some practical ways to reverse or prevent issues.
| Risks | Potential Consequences | Reversals |
| Scheduled task fails to run | Elevated privileges remain active indefinitely | Manually remove the user from the admin group via RMM or PowerShell. |
| Registry logging skipped | No audit trail for compliance audits | Retroactively log from event logs or RMM history. |
Another crucial consideration is that some access requests may not fit neatly into a standard workflow. Backup protocols and additional planning may be necessary for emergencies, multi-tenant environments, and distributed teams to ensure security without slowing down critical operations.
NinjaOne solutions for approval-based workflows
NinjaOne supports access governance workflows through:
- Script deployment to grant and revoke admin access across endpoints
- Scheduled execution and task reversion using RMM policy scheduling
- Monitoring registry keys and local group membership for real-time visibility
- Logging escalation and de-escalation events tied to user, device, and timestamp
- Custom alerts and reporting dashboards to show access events across all clients
With NinjaOne, MSPs can deliver secure, auditable, and scalable access request workflows that protect clients while streamlining technician operations.
Integrating an approval-based workflow with an RMM
Approval-based workflows allow better control over networks and endpoints while staying aligned with crucial IT compliance frameworks. In addition, the system provides users with timely access to select business data and tools.
Apart from finding a balance between quick access and strong governance, MSPs and enterprise IT teams can integrate this workflow with an RMM like NinjaOne, which unlocks opportunities to scale and manage IT assets in a unified dashboard.
