Providing secure access to Desktop and Mobile Helpdesk admins using Role-Based Access Control in MEM
Published Dec 09 2020 03:32 PM 13.5K Views

By Pallavi Joshi – Program Manager | Microsoft Endpoint Manager - Intune

 

This article talks about using Role-based Access Control (RBAC) in Microsoft Intune to setup separate helpdesk roles for Desktop teams who manage Windows device estate and for Mobile teams who manage mobile device estate. RBAC in Intune helps you manage who has access to your organization's resources and what they can do with those resources.

 

With the rise in remote working, an increasing number of organizations are now managing their employees’ mobile and Windows devices using Microsoft Endpoint Manager. This requires the helpdesk teams to work securely and productively to enable end users with their daily workings.

 

Many customers that we work with have dedicated teams for managing Windows and mobile devices. The helpdesk admins, part of Windows team, manage Windows devices only, but do not manage mobile devices, and vice-versa. By the end of this blog, you will be able to provide access to the relevant workloads to these helpdesk teams so they get a customized view of the devices they need to manage, and also prevent access to devices outside their scope.

 

Steps to configure RBAC for Windows and Mobile Device Helpdesk team:

  1. Create Azure AD device groups for Windows and Mobile Devices
  2. Create Azure AD user groups for Windows and Mobile Helpdesk Admins
  3. Create scope tags and assign device groups
  4. Create Windows helpdesk admin role and add assignments
  5. Create Mobile helpdesk admin role and add assignments

 

Step 1 - Create Azure AD device groups for Windows and Mobile Devices

The first step to setup RBAC is to create separate Azure AD device groups based on device OS type.

 

As an example, I have created three Azure AD dynamic device groups based on the property deviceOSType – Android Devices, iOS Devices, and Windows Devices:

 

Android Dynamic membership rulesAndroid Dynamic membership rules

 

iOS Dynamic membership rulesiOS Dynamic membership rules

 

Windows Dynamic membership rulesWindows Dynamic membership rules

Step 2 - Create Azure AD user groups for Windows and Mobile Helpdesk Admin

 

The second step is two create two user groups, one for Windows Helpdesk Admins who manage Windows devices, and the other for Mobile Helpdesk Admins who manage mobile devices.

 

As an example, I have created two Azure AD user groups – Windows – Helpdesk Admins, Mobile – Helpdesk Admins and added helpdesk admins to each of these groups:

 

Azure AD groupAzure AD group

 

Step 3 - Create scope tags and assign device groups

The third step is to create separate scope tags, one for each Operating System. The device groups created in step 1 need to be assigned to the respective scope tags.

 

As an example, I have created three scope tags – Apple, Android and Windows. I have assigned the Android Devices group to Android scope tag, and so on. This ensures that all the devices part of the

Android Devices group will automatically get the Android scope tag assigned to them. Similarly, devices part of Windows Devices group will automatically get the Windows scope tag assigned to them, and so on.

 

The scope tags would be used in future steps to control the visibility of devices and other workloads for Helpdesk Admins.

 

Helpdesk admin Scope tagsHelpdesk admin Scope tags

 

Step 4 - Create Windows helpdesk admin role and add assignments

The fourth step is to create a custom role for Windows helpdesk admin and provide the permissions required by the helpdesk admin.

 

As an example, I have created Windows Helpdesk role, given Read permissions for all the workloads, and Wipe and Sync Device permissions under Remote Tasks. You can update the permissions based on your requirements.

 

Windows Helpdesk permissionsWindows Helpdesk permissions

 

Once the permissions are added and role is created, assignments need to be added to the role using the groups and scope tags created in the previous steps.

 

As an example, for the Windows Helpdesk role, I am adding Windows Assignment. The Members of this assignment are Windows – Helpdesk Admins created in Step 2, the Scope (Groups) has Windows Devices group created in Step 1 and Scope tags is defined as Windows created in Step 3.

 

Windows Helpdesk assignment propertiesWindows Helpdesk assignment properties

 

This ensures that users part of Windows – Helpdesk Admins group can assign policies, configurations and apps only to devices part of Windows Devices group, if they have permissions for the same. In this case, we have not provided assign permissions to helpdesk because we do not want them to be able to add or update assignments. This step also ensures that users who are part of Windows – Helpdesk Admins can view only the objects which have scope tag as Windows.

 

You can watch my Ignite session on Deep Dive into RBAC in Intune for deeper understanding on the topic.

 

Step 5 - Create Mobile helpdesk admin role and add assignments

The last step is to create a role for Mobile helpdesk admin and provide the permissions required by the helpdesk admin. The process is similar to Step 4, we just need to select different groups and permissions as per the requirements of mobile device team.

 

As an example, I have created Mobile Helpdesk role, given Read permissions for all the workloads, and Sync Device permissions under Remote Tasks. Based on my customer interactions, I have not given Wipe permission for this role for mobile helpdesk team. You can update the permissions as per your requirements.

 

Mobile Helpdesk propertiesMobile Helpdesk properties

 

This document contains information about creating custom role in Microsoft Endpoint Manager.

 

Once the permissions are added and role is created, assignments need to be added to the role using the groups and scope tags created in the previous steps.

 

As an example, for the Mobile Helpdesk role, I am adding Android & iOS Assignment. The Members of this assignment are Mobile – Helpdesk Admins created in Step 2, the Scope (Groups) has Android Devices and iOS Devices group created in Step 1 and Scope tags is defined as Android and Apple created in Step 3.

 

Mobile Helpdesk assignment propertiesMobile Helpdesk assignment properties

 

This ensures that users part of Mobile – Helpdesk Admins group can assign policies, configurations and apps only to devices part of Android Devices and iOS Devices group, if they have permissions for the same. In this case, we have not provided assign permissions to helpdesk. This also ensures that users part of Mobile – Helpdesk Admins can view only the objects which have scope tag as Android and Apple.

 

Once the configuration is complete, you will notice that Windows Helpdesk Admins can view only Windows devices. They are unable to view mobile devices. They can sync and wipe Windows devices remotely. Similarly, Mobile Helpdesk Admins can view Android and iOS devices, sync these devices remotely, and are unable to view Windows devices.

 

Note – For the scenarios where a helpdesk admin is part of both Mobile Helpdesk and Windows Helpdesk roles, they will be able to perform specific actions on devices defined in the relevant role.

In the above example, if a helpdesk admin is part of both Windows – Helpdesk Admins and Mobile – Helpdesk Admins groups, then they will be able to view both Windows and mobile devices. They would be able to sync and wipe Windows devices as defined in Windows Helpdesk role, but only sync mobile devices as defined in Mobile Helpdesk role.

 

This configuration ensures that you have created a boundary for your Desktop and Mobile Device helpdesk team to operate in, thus providing strong security. You are also able to customize their view, so they see only relevant devices, thus ensuring their productivity. Also, the automatic scope tag assignment and role assignments ensure that no manual tasks are required, ensuring scalability of the solution across your departments.

 

We hope this helps you in setting up RBAC for your helpdesk teams in Microsoft Endpoint Manager and enables them to work effectively.

 

If you have any questions on this post, just let us know by commenting back on this post. You can also ask quick questions at @IntuneSuppTeam out on Twitter.

11 Comments
Brass Contributor

Thank you, customers frequently ask for such scenario

 

Copper Contributor

Hello,

 

Could you please guide to make provision of Bit-Locker recovery key read only access under custom role for all enrolled devices.

Hi @Chetan_Jadhav, thanks for the question! BitLocker key objects and properties (including recovery keys) are managed within Azure Active Directory. See Overview of role-based access control in Azure Active Directory and Administrator role permissions in Azure Active Directory to learn more.

Copper Contributor

Thanks. Does this custom role ensure that we can see the bitlocker recovery key for specific device by logging to endpoint URL or we have to get it from Azure portal by searching particular machine under devices.

@Chetan_Jadhav - Yes, once the permission(s) has been granted, admins will be able to view the BitLocker recovery key from either the Azure Active Directory or Intune admin portals:

Azure Active Directory: Devices > All devices > "Targeted device" >  BitLocker Key ID

Microsoft Endpoint Manager - Intune: Devices > Windows > Windows devices > "Targeted device" > Recovery keys > BitLocker Key ID

 

Note: Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10 devices, from within the Intune portal. To be accessible, the device must have its keys escrowed to Azure AD.

 

 More information on managing BitLocker policies for Windows 10 in Intune can be found in our docs here.

Copper Contributor

@Intune_Support_Team 

 

Thanks. When trying to create this custom role it's not giving devices option, i have checked with microsoft.directory/bitlockerKeys/key/read as well but no luck. Could you please share steps for this custom role creation.

 

BitLocker recovery keys: microsoft.directory/devices/bitLockerRecoveryKeys/read

Hi @Chetan_Jadhav, currently, permissions for Application registrations are supported in custom roles. More permissions are coming soon, so the "microsoft.directory/bitlockerKeys/key/read" permission is not currently supported for Custom Role creation. In the interim, you may want to use and assign one of the available Administrator role permissions in Azure Active Directory documented here.

Copper Contributor

So, As of now we are not able to create custom role for which help to get Bit-locker recovery key. We have to o with existing AAD roles.

Brass Contributor

I do agree that not being able to assign the "microsoft.directory/bitlockerKeys/key/read" permission through an Intune (custom) role currently is a gap, as the only option we have now for our support staff to be able to read the BitLocker recovery key is by assigning them an Azure AD role with more access than we want them to have currently. 
I think that might be the same issue @Chetan_Jadhav is trying to solve :smile:

Copper Contributor

@Andy D'Hollander 

 

Yes exactly, i am looking to provide bit locker recovery key access via Intune portal itself.

@Intune_Support_Team Any update on this thread regarding the possibility to only grant microsoft.directory/bitlockerKeys/key/read to a custom role?
I don't want to assign the helpdesk role or any other role to the helpdesk, only to possibility to see the recovery keys.

Or make Application permissions supported for https://graph.microsoft.com/beta/informationProtection/bitlocker/recoveryKeys so we can build our own solution with PowerAutomate or something.

Version history
Last update:
‎Nov 30 2023 04:13 PM
Updated by: