This week is a short post about a small nice addition to Remote Help. That small nice addition, however, can be an important piece towards the solid zero trust implementation within the organization. That addition is the ability to use Conditional Access specifically for Remote Help. That doesn’t mean, however, that Conditional Access was not applicable towards Remote Help before. When assigning a Conditional Access to all cloud apps that would (and will always) also include Remote Help. The main change is that it’s now possible to create a service principal for the Remote Assistance Service that can be used as a cloud app in the assignment of a Conditional Access policy. That enables organizations to create a custom Conditional Access policy specifically for Remote Help, if needed. So, that enables organizations to specifically tailor the requirements for providing remote assistance to users. Think about always requiring the use of MFA, requiring an up-to-date device, or only allowing specific locations. All with the idea to minimalize the chance that someone unauthorized is using Remote Help for gaining access a device. This post will go through the steps for creating and using that service principal, followed with the experience.
Note: Keep in mind that this requires a Remote Help add-on license or Intune Suite license for helpers and sharers.
Setting up Conditional Access for Remote Help
When looking at the configuration of setting up Conditional Access specifically for Remote Help, it all starts with creating a new service principal. That service principal can than be used in the configuration of a Conditional Access policy. The following snippet contains the lines to install the require module, connect to Azure AD, and to create the new service principal.
Install-Module -Name AzureADPreview
New-AzureADServicePrincipal -AppId 1dee7b72-b80d-4e56-933d-8b6b04f9a3e2
Once the service principal is created, it can be used within Conditional Access policies. The following six steps walk through the creation of a new Conditional Access policy, with the focus on using the new service principal.
- Open the Microsoft Intune admin center portal navigate to Endpoint security > Conditional Access, or open the Azure portal and navigate to Azure Active Directory > Security > Conditional Access
- On the Conditional Access | Policies blade, click New policy
- On the Assignments section, as shown below in Figure 1, configure the following for the different assignments sections
- Users and groups: Select the users that should be assigned with this policy
- Cloud apps or actions: Select Cloud apps > Select apps > RemoteAssistanceService as the app that should be assigned with this policy
- Conditions: Select the conditions that should be used as additional filters for assignment of this policy
- On the Access controls section, configure the following for the grant control
- Grant: Configure the access enforcement for this policy
- Session: Not applicable for this configuration
- Select Enable policy > On to enable this policy
- Select Create to create this policy
Note: This Conditional Access policy can contain any controls that are available, to configure the access to Remote Help.
Experiencing Conditional Access with Remote Help
When the Conditional Access policy is created, it’s relatively easy to experience the behavior with Remote Help. Especially when there are specific block rules in place that require access from specific locations and/or endpoints. So, when the user (either the helper or the sharer) starts Remote Help, the user must first authenticate. After that the access conditions are verified. When the user is blocked, the user will receive a clear notification (as shown below in Figure 2) that is similar to any other blocked app. The only difference will be in the App name and App id. That information corresponds to the service principal.
For more information about Remote Help and Conditional Access, refer to the following docs.