In this post, let’s talk about how to configure RBAC role for service desk team to perform remote tasks to devices and we can achieve using Help Desk Operator built-in RBAC role. when we assign this role to groups, users within the group will have permission to perform tasks. I am using the below two users account to show console view experience.
Karthick – Global administrator
Mark – Service desk engineer member of Help Desk Team group in the AAD & MSIntune.
We need to consider which role we need to assign and what resources they can manage in the console. Please perform the below steps to complete role assignment.
- Logged in with global admin account. Click Roles -> All Roles blade, Select Help Desk Operator role.
- On the Assignment ->Click on Add Assign.
Members (Groups): Click Add -> Select AD group which contains Service Desk Team engineers.
Scope (Groups): Set scope groups to All users & All Devices
Scope (Tag): Click Add -> Select All Locations which I created before. Scope Tag is which objects admin can see or access in the console. You will also need to assign scope Tag to devices under All Devices. It can be achieved either manually or automated way. You can create a scope Tag under Roles -> Scope (Tag) blade.
3. Click ok to complete the role assignment for Help Desk Operator role.
Help desk Admin experience
1. Logged into the device management portal and Click Devices – All Devices blade.
2. Select the device and admin will have access to restart, retire & wipe the device.
3. Click Conditional access blade, the admin will get Access Denied message.
4. Admin can see what permission he has under Roles -> All Roles -> Help Desk Operator role -> Permission.