In this post, I will show you how to set up Conditional Access for Remote Help. Remote Help allows your helpdesk team to securely view or control a user’s screen across Windows, macOS, Android, and iOS. To create a Conditional Access policy that targets the Remote Assistance Service, a service principal (Enterprise app) is required. Since this service principal does not exist by default, you must create it first.
In the next sections of this post, we will see how to create a service principal for the Remote Assistance Service and then create a Conditional Access (CA) policy. If you have not enabled Remote help in your tenant, you can enable it first and then configure conditional access. Refer to this link for more details: Setup/Configure Remote Help in Intune.
Contents
1. Create a Service Principal for Remote Assistance Service
The first step is to create a service principal for the Remote Assistance Service in Entra. For this, we will use Microsoft Graph PowerShell. Open PowerShell console and execute below commands. For more details, refer to the link: #setup-conditional-access-for-remote-help.
# Install the Graph module if needed
Install-Module Microsoft.Graph -Scope CurrentUser -Force# Connect to Graph with the right scope
Connect-MgGraph -Scopes "Application.ReadWrite.All"# Create Remote Assistance Service principal
New-MgServicePrincipal -AppId "1dee7b72-b80d-4e56-933d-8b6b04f9a3e2"To verify that the service principal has been created, sign in to the Entra admin center and go to Entra ID > Enterprise applications. Clear the Application type filter by clicking the X icon, and you should see RemoteAssistanceService listed there. Click on it and confirm that the Application ID matches the one created using New-MgServicePrincipal.
2. Create a Conditional Access Policy
Now that the service principal for Remote Assistance Service has been created, you can proceed to create a Conditional Access policy and target this resource. If you already have Conditional Access policies in place, you can update it to include or exclude Remote Assistance Service. Alternatively, you can create a new policy dedicated specifically to Remote Assistance.
You can access the Conditional Access policies page either from the Intune admin center > Devices > Conditional Access or from the Entra admin center > Entra ID > Conditional Access. Then click + Create new policy.
- Provide a name for the policy. For example: Cloudinfra-Remote-Assistance.
- Click on Target resources and, depending on your requirement, use the Include or Exclude tab to add or remove the app from this policy.
- Click on Select resources > Select and search for the Remote Assistance Service app.
- Configure the remaining settings and grant controls according to your business requirements.
Conclusion
This was a quick post on creating a Conditional Access policy for the Remote Assistance Service. I recommend testing the policy on a few users first before rolling it out to all business users. Observe its behavior and document the findings for your team to make troubleshooting easier if any issues arise. Another tip is to start with Report-only mode to monitor events, and once you’re confident, switch it to On.
