Introduction
Microsoft Intune Remote Help uses role-based access control (RBAC). Intune includes built-in roles like Help Desk Operator and School Administrator that provide Remote Help access.
The Help Desk Operator and School Administrator roles include full Remote Help permissions along with additional rights, such as wiping or retiring devices and assigning apps or policies. If an account with these roles is compromised, the attacker gains access beyond remote assistance capabilities.
Microsoft recommends custom RBAC roles to implement least-privilege access. Creating them manually in the Intune admin center requires defining permissions, creating the role, setting up security groups, and assigning scope – typically around 30 minutes for all four roles given no mistakes are made.
This PowerShell script creates four custom roles and corresponding security groups in under 10 seconds:
- Level 1 Support – View-only access
- Level 2 Support – Full control (without elevation)
- Senior Techs – Elevation permission (for UAC/admin actions)
- Device Teams – Unattended access (for Android dedicated devices)
Each role contains only the Remote Help permissions required for its tier and no additional device management permissions.
PowerShell
The script is available on GitHub: Intune-Remote-Help-RBAC-Roles-Groups-Automation
Prerequisites
Before running the script, you need:
- PowerShell modules:
Microsoft.Graph.DeviceManagement.AdministrationMicrosoft.Graph.GroupsMicrosoft.Graph.Authentication
- Microsoft Graph API permissions:
DeviceManagementRBAC.ReadWrite.AllGroup.ReadWrite.All
The script will prompt you to authenticate and consent to these permissions when it connects to Microsoft Graph.
Basic Usage
Create roles and groups:
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1
Preview what would be created without making changes:
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -WhatIf
Remove all roles and groups created by the script:
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -Remove
What Gets Created
The script creates four custom RBAC roles:
- Remote Help – View Screen Only
- Security group:
Intune-RemoteHelp-ViewScreenOnly - Permissions: View screen without taking control
- Security group:
- Remote Help – Full Control
- Security group:
Intune-RemoteHelp-FullControl - Permissions: Take full control of devices
- Security group:
- Remote Help – Elevation
- Security group:
Intune-RemoteHelp-Elevation - Permissions: Interact with UAC prompts on Windows
- Security group:
- Remote Help – Unattended (Android)
- Security group:
Intune-RemoteHelp-Unattended - Permissions: Connect to Android devices without user acceptance
- Security group:
All roles include the required base permissions:
- Remote Tasks – Offer remote assistance
- Remote Assistance Connector – Read
Script running in Windows terminal:
Roles created in Intune:
Groups created in Entra:
Assigning Roles After Running the Script
The script creates the RBAC roles and security groups, but roles must be assigned manually through the Intune admin center. This is intentional – scope configuration requires careful planning based on your organizational structure.
Assignment Process
- Navigate to Microsoft Intune admin center > Tenant administration > Roles
- Select one of the newly created Remote Help roles
- Click Assignments > Assign
- Basics: Enter an assignment name (e.g., “Remote Help – Full Control Assignment”)
- Admin Groups:
- Click Add groups
- Select the corresponding security group created by the script
- These are your helpers (support staff who provide assistance)
- Scope (Groups):
- Click Add groups to select specific user or device groups
- Or use Add All users / Add All devices
- These are the users/devices that can receive help from this role
- Important: “All Devices” doesn’t include unenrolled devices – use user groups instead
- Scope tags (optional): Add if using scope tags for delegation
- Click Next > Create
Repeat this process for each of the four roles based on your support structure.
ENJOY 🙂