Use Conditional Access with Remote Help
One of the benefits of the Remote Help feature in Intune is the support for Conditional Access for this application. But this support is not enabled by default. How can you enable this? In this blog post I will demonstrate how to enable the support for Conditional Access. Furthermore I will show an use case for the use of Conditional Access and Remote Help.
Enable the support for Conditional Access
By default the Remote Help is not supported for Conditional Access, we must activate this with Microsoft Graph. Use your favorite Powershell Editor and connect to Microsoft Graph with the following command:
Connect-MgGraph -Scopes "Application.ReadWrite.All"
We need to create a Service Principal. Use the following command to create the Service Principal with the corresponding App ID.
New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"
When you have successfully completed this command the following output is displayed
In the Entra-ID portal we can look-up the new created ServicePrincipal in the Enterprise Apps.
EntraID > Enterprise applications
Make sure you have selected the filter for All Applications
Create a Conditional Access rule
Now that we have created the ServicePrincipal we can use the application in a conditional access rule.
In this use case I want to make sure that the Remote Help Operators only can initiate a sessions from a compliant device.
Use the following steps to accomplish this.
Head-over to the Conditional Access rules and create a new rule. We are going to configure the Assignments, Target Resources and Access Controls.
Intune Portal > Endpoint security > Conditional Access
Create a new rule and give this rule a logical name.
In the Assignments include a user group that also is attached as the Remote Help group. In the image below I have attached the same group that is attached in the role assignment for the build-in role Help Desk Operator. We only want to target these users. If you want to know more about Remote Help and how to enable this feature, read my blog post about Remote Help 😊
In Target resources
1. Select Target resources
2. Select resources.
3. We now have the option to select Remote AssistanceService
We have selected the target resource we want to protect, head-over to the Grant section.
Select: Require device to be marked as compliant.
You can make your own adjustments based upon your use case. In this case we have now target the correct user group with the target resource and access controls.
User Experience
When a Remote Help Operator user now opens the Remote Help web application or app on a non compliant device the following screen is displayed that access is not granted. We have target only the operators group so the users that are requesting help are affected by this rule
Recap
When there is a CA rule already in place that targets all apps and requires an MFA, we already need to full-fill the MFA requirement for Remote Help. But with the support for Conditional Access for the Remote Help we can adjust the requirements that must be fullfilled when working with the app, for example the requirement for the need of a compliant device.