The native application approval functionality within Microsoft Endpoint Configuration Manager, (which is still often referred to as SCCM, ConfigMgr, and Configuration Manager) originally only allowed defined admins to approve application requests from the Application Catalog and Software Center using the ConfigMgr administrator console. Starting with ConfigMgr 1810, you could also begin making pre-approved machine based requests with no user required, allowing you to install applications in real-time. Additionally, e-mails could be sent to a defined approver, or a list of approvers for each application that is deployed by entering e-mail addresses of each approver(s) into each application deployment at deployment type. This feature is coming along nicely.
One thing that I often hear from customers regularly is “I want to have my users’ managers approve the applications, since they are going to ultimately be the ones responsible for covering the additional licensing costs out of their cost center.” Unfortunately, since you can only set one or more static e-mail address or DLs on each application deployment, this isn’t really possible today without having someone receive the e-mails, look up the requester’s manager, and manually forwarding them the ConfigMgr generated approval e-mail. This isn’t a very productive use of anyone’s time IMHO.
As many of you know, I’ve been diving head-first into any and every chance to create PowerApps and Power Automate (Flows) to harness the power of these ultra powerful low-code/no-code application creation platforms. This small gap in ConfigMgr led me to come up with the following idea which may suit the need for many who are waiting for the application approval functionality in the ConfigMgr product to further mature.
First, I had my customer make and choose an “Application approval” e-mail account to use. All applications requiring approval would be set to automatically e-mail this mailbox any time an end-user requests an application from Software Center.
Next, I created a Flow using Microsoft Power Automate which is triggered each time a new e-mail is received by this account. This Flow does not use any premium Power Automate connectors, so you can utilize these with the license included with an Office 365 subscription. The automatically generated e-mail from ConfigMgr looks like the following:
…and the Flow I came up with using the following trigger step:
- The trigger only looks for e-mails only which have the subject text that includes the text “has submitted an application request”. Therefore, you could use any e-mail box and it will only trigger on the application approval e-mails.
- The next step converts the received e-mail body from HTML to TEXT using the out-of-the-box Content Conversion – HTML to TEXT (Preview) Flow action which magically strips all HTML tags and headings from the e-mail body.
- To further simplify getting to the useful values needed to determine the user who’s requesting the application’s manager, I also removed all linefeed (LFs) using a Compose action with the expression. %0A is the equivalent ASCII code for a line feed (LF), so I stripped them out by replacing them with nothing (by using two apostrophes and no space between them) using this expression: (body(‘Convert_Email_body_from_html_to_text’)), ‘%0A’, ”))
- Next, determine how many characters are in the user’s DisplayName by using the dash (“-“) to subtract 10 characters from the total using the following expression: add(int(indexOf(outputs(‘Remove_Linefeeds’), ‘ -‘)), -10). I realized I needed to be careful with this, as some employees hyphenate their last name (ex: “Jones-Smith”). This is the reason I added a space after the ‘ and before the – so its ‘ -‘ rather than ‘-‘. It will always skip over any dashes that occur in their last name since they don’t have spaces.
- Next, use the above values to get the user’s DisplayName attribute from AzureAD (synced via AzureAD Connect), which begins at the index (character) number 9 of the resulting string output from the “Remove Linefeeds” action, and ends at at the index of the dash after the user’s DisplayName. I did this using the following expression: substring(outputs(‘Remove_Linefeeds’), 9,outputs(‘Index_of_dash’)).
- Next, use the DisplayName from the previous step to get the user’s e-mail address using the Office365 Users connector.
- Next, use the user’s e-mail address from the previous step to look up the user’s manager (which is also automatically synced via AzureAD Connect) using the Office365 Users connector.
- Next, forward the e-mail which was automatically generated by the application approval request feature onto the application requesting user’s manager.
- The user’s manager receives the e-mail and can finally determine whether to approve or deny the request based on which link they click in the e-mail. If the approver is authenticated via AzureAD and you have Cloud Management Gateway (CMG) implemented along with enabling the new AdminService feature of the SMS provider, the manager can also approve the requests when connected to the Internet by way of CMG. Super COOL!
Here’s the full Flow:
Here’s a zoomed version of the last two steps which gets the user’s manager and forwards the e-mail to them:
The automatically generated e-mails sent from ConfigMgr when an application approval request is submitted by an end user is formatted in a predictable way. If the formatting is ever changed in a future version, these flows may need adjusted to match – depending on what changes. Once the HTML and LineFeeds are removed, the whole e-mail is on one nice long string on a single line, so this should make it easy to the important stuff!
You could also optionally log some or all of the interesting values from the e-mail to a Sharepoint list, Excel Spreadsheet, or whatever your heart desires to keep track of the requests outside of Microsoft Endpoint Configuration Manager / ConfigMgr.
Enjoy!