Introduction -
This is part 1 of a four part series on 'How to remotely assist Azure AD Joined devices'.
Remotely assisting Intune managed devices poses challenges for MSPs as MSP technicians don't normally have Global Admin rights to the tenant and usually perform admin tasks via the Microsoft Partner Portal.
MSP technicians face several challenges including -
- The MSP technician account is not a local admin of the Azure AD Joined / Intune Managed device
- The end user is a standard user and has no local admin rights
- Windows 10 blacks out the screen during UAC prompts when clients are being assisted via TeamViewer or Microsoft QuickAssist.
- The Intune Security Baseline denies user elevation prompts with the message - This app has been blocked by your system administrator.
To solve these issues I have designed a three stage solution which includes the following
- Add users or groups as local admins to all Azure AD Joined devices
- Deploy a PowerShell script to disable the prompt on the secure desktop
- Update the Endpoint Security Baseline
======================================================================
This is Part 1 of a 4 part series
Remote Administration and Assistance - Four part tutorial
1. Add users or groups as local admins to all Azure AD Joined devices - Link - This article
2. PowerShell script to disable the prompt on secure desktop - Link
3. Updating the Endpoint Security Baseline - Link
4. How to remotely connect and assist - Link
=======================================================================
1. Add users or groups as local admins to all Azure AD Joined devices
As discussed in the Introduction, one of the challenges with providing remote assistance for Azure AD Joined devices is that the end user is not a local administrator and that the MSP technician shouldn't really be providing assistance with an account that has Global Admin rights.
To workaround this issue, we will be creating an Azure AD group which members will be granted the role of Local Administrator of Azure AD Joined devices. This will allow a company to either have a dedicated user account for each MSP technician or a single user account that has this right.
In this example, I will be creating the Group and a single user account for Local Admin management.
Endpoint Manager - Groups - New Group -
Type - Security
Group name - AAD_Sec_User_LocalAdmin
Group Description - Members are local administrators of Azure AD joined devices
Azure AD roles can be assigned to the group - Yes
Select - No roles selected 
In the Directory Roles section - type the word - Dev - in the search
Select the role - Azure AD joined device local administrator
Click - Select
The group attributes will update the Role assigned
Create -
Yes
Add the accounts that you want to have local admin access of Azure AD joined devices.
For this tutorial, I have created an account called - local.admin -
The user - local.admin - has been added as a member of the group.
Members of this group will be able to log on to any Azure AD joined device and have local admin access.
====================================================================
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He
draws upon over 20 years experience designing and delivering technical
solutions to a variety of enterprise clients in the private, Government
and Education sectors, to revolutionise client businesses through
collaboration and getting the most value from a variety of cloud
solutions.
He is passionate about learning new technologies and is a
firm believer in sharing knowledge to provide a better experience for
all.
You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/
GitHub Repository - https://github.com/TeamTerry
No comments:
Post a Comment