I will explain how to setup Conditional Access for Remote Help with Intune in this article. Conditional Access for Remote Help in Microsoft Intune enhances security by ensuring only authorized users and compliant devices can access or provide remote support.
It allows organizations to apply conditions, such as device compliance and user location, to determine when Remote Help is permitted, safeguarding sensitive environments from unauthorized access.
This feature integrates with multi-factor authentication (MFA) and device compliance policies to add layers of protection, ensuring that both the support staff and the devices receiving help meet organizational security standards. Conditional Access policies can also limit Remote Help to managed or trusted devices, reducing the risk of security threats.
By leveraging Conditional Access in Intune, organizations can better manage remote assistance scenarios, especially in environments with a Bring Your Own Device (BYOD) approach, ensuring secure and compliant access across different user roles and devices.
What is Conditional Access
One of the Microsoft Entra technologies is Conditional Access. You can access the same Conditional Access node with Microsoft Entra ID as you can from Microsoft Intune. You can configure policies without switching between Entra ID and Intune because they are the same node.
Intune Conditional Access is a security framework within Microsoft Intune that controls access to apps and data based on specific conditions. It ensures that only compliant devices and users who meet predefined security requirements can access corporate resources, such as cloud services and apps.
Conditional Access policies are built around signals such as user location, device health, and risk level. These policies can enforce actions like requiring multi-factor authentication (MFA), blocking access from untrusted locations, allowing access only to devices that meet compliance standards, and ensuring that company data is only accessed under secure conditions.
By leveraging Intune Conditional Access, organizations can protect their resources from unauthorized access while allowing flexibility for employees to work securely from various devices and locations.
- How to Use Intune Remote Assistance for Windows Devices
- Deploy Remote Help App with Auto Upgrade Feature in Intune
- Best Way to Set Windows 11 24H2 as Optional Update with Intune
Key Features of Conditional Access for Remote Help
| Key Features | Details |
|---|---|
| Access Control Based on Conditions | Conditional Access policies allow administrators to specify which conditions must be met for Remote Help to be allowed. These conditions can include factors like user location, device compliance status, and authentication methods. |
| Integration with Multi-Factor Authentication (MFA) | Conditional Access can require users to authenticate using MFA before receiving or providing Remote Help. This adds an extra layer of security, ensuring that the person accessing the system is indeed authorized. |
| Device Compliance Checks | Devices must meet specific security requirements (like having the latest OS update or being malware-free) to receive help. This helps to ensure that support is only given to secure devices, reducing the risk of security threats. |
| Conditional Access for Support Personnel | Organizations can apply Conditional Access policies to support staff, requiring that they also meet security requirements before they can provide assistance. For example, an IT admin may need to authenticate through MFA or be on a compliant device to use Remote Help. |
| Conditional Access Scenarios | Block access to Remote Help based on risk factors, such as logins from untrusted locations. Require managed devices to use Remote Help. Enforce additional controls like limiting access only to specific groups or users. |
| Application in BYOD (Bring Your Own Device) Scenarios | In BYOD environments, Conditional Access can ensure that only devices managed by Intune (or compliant with specific organizational policies) are able to use Remote Help. |
Import the RemoteAssistanceService Cloud App to the Tenant
The RemoteAssistanceService cloud app in Microsoft Intune is a specific service used to facilitate remote assistance through Remote Help, a feature in Intune that allows IT administrators and support staff to assist users remotely. This cloud app helps manage and secure remote support sessions by integrating with Conditional Access policies and ensuring that only authorized and compliant users or devices can participate.
Before creating the Conditional Access policy for Remote Help, we must import the RemoteAssistanceService Cloud app to our tenant. To do that, follow the below steps.
- Open Windows PowerShell or Windows PowerShell ISE with admin privilege
- Insert the below commands and execute them to import the RemoteAssistanceService Cloud app to our tenant.
Install-Module -Name AzureADPreview
Connect-AzureAD
New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2
- You will get an authentication pop-up. Once you authenticate with your corporate credentials, click on Verify
If your ID has enough rights to install the module and is successfully verified, you can see that the RemoteAssistanceService – 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2 has been successfully imported into your tenant.
- Azure Conditional Access Policies | Compliance Policies | Overview
- How to Set App Defaults using Intune | Export the Default XML File & Encode it in Base64 format
Create a Conditional Access Policy for Remote Help
Follow the below steps to create a new Conditional Access Policy for Remote Help using Intune. Let’s discuss the step-by-step method to create the policy.
- Navigate to Devices > Conditional access
- Click on +Create a New policy
Now, we can create a New Conditional Access policy from scratch. For that, follow the points below and fill in the details.
- Name: HTMD – Conditional Access for Remote Help
- Assignments: Click on Speficic users, including the users or group you want
- Target resources: Select what this policy applies to Cloud apps and search and Select RemoteAssistanceService – 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2 (Control access based on all or specific network access traffic, cloud apps or actions)
- Network: Set as not configured
- Condition: Device platforms select Apply the policy to selected device platforms as Windows
- Access controls: Grant access to Select Require multifactor authentication
- Session: No need to set any Sessions in this example
- Enable Policy: Toggle to On
End User Experience – Conditional Access for Remote Help
We must check whether the HTMD – Conditional Access for Remote Help policy works as expected. Log in to one of the devices in your tenant. Open the Remote Hep Application. We need to use an organizational account to use Remote Help. Enter your policy-targeted corporate credentials. MFA is required during login, and you also have the right to use the Remote Help feature. So, we can confirm our Conditional Access policy, which is working fine!
Important Note! To use Remote Help, you need to Enable Remote Help in Intune. Verify that your tenant has a valid Licence (Insute Suite or Stand-alone) and that the respective users have an RBAC role assigned.
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Vaishnav K has over 11 years of experience in SCCM, Device Management, and Automation Solutions. He writes and imparts knowledge about Microsoft Intune, Azure, PowerShell scripting, and automation. Check out his profile on LinkedIn.