Automate the creation of custom RBAC roles, security groups, and role assignments for Microsoft Intune Remote Help.
This PowerShell script creates four custom RBAC roles in Microsoft Intune, each with specific Remote Help permissions, along with corresponding Entra ID security groups. Optionally, it binds each role to its paired group automatically with -AssignRoles.
The script is idempotent - roles and groups that already exist are skipped. It also handles removal of everything it creates with -Remove.
Multi Admin Approval (MAA): On tenants where Intune RBAC changes are gated by an approval policy, the script detects the pending approval response, reports it in the output, and lists pending items with instructions at the end of the run.
| Role Name | Security Group | Use Case |
|---|---|---|
| Remote Help - View Screen Only | Intune-RemoteHelp-ViewScreenOnly |
Level 1 support, read-only assistance |
| Remote Help - Full Control | Intune-RemoteHelp-FullControl |
Level 2/3 support, active troubleshooting |
| Remote Help - Elevation | Intune-RemoteHelp-Elevation |
Elevated administrative tasks (UAC) |
| Remote Help - Unattended (Android) | Intune-RemoteHelp-Unattended |
Managed Android dedicated device support |
All roles include base permissions:
- Remote Tasks - Offer remote assistance
- Remote Assistance Connector - Read
Install-Module Microsoft.Graph.DeviceManagement.Administration
Install-Module Microsoft.Graph.Groups
Install-Module Microsoft.Graph.AuthenticationDeviceManagementRBAC.ReadWrite.AllGroup.ReadWrite.All
- Global Administrator or Intune Administrator role
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -AssignRolesRole assignments are scoped to All devices and All users. The assignment step is idempotent - existing assignments targeting the same group are skipped.
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -AssignRoles -WhatIf.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -RemoveDeleting a role definition cascades to its child role assignments automatically - no separate assignment cleanup needed.
.\Create-Intune-Remote-Help-RBAC-Roles-Groups.ps1 -AssignRoles -ApprovalJustification "Remote Help rollout - July 2026"Some tenants have an MAA policy enabled for the Role-based access control profile type. When this is the case, role and assignment creates/deletes are queued for a second admin to approve before taking effect.
The script handles this automatically. At the end of the run, pending items are listed with the path to approve them:
Intune admin center > Tenant administration > Multi Admin Approval > Received requests
Because role assignments require an existing role ID, the script must be run twice on MAA-protected tenants:
- First run - creates roles (queued in MAA) and Entra groups
- Approve role creation requests in MAA, then Complete them under My requests
- Second run with
-AssignRoles- roles are found, assignments are created (may also queue in MAA)
After running the script, add support staff to the appropriate security groups:
Intune-RemoteHelp-ViewScreenOnly- view-only helpersIntune-RemoteHelp-FullControl- full control helpersIntune-RemoteHelp-Elevation- helpers who need UAC elevationIntune-RemoteHelp-Unattended- Android unattended helpers
If you ran without -AssignRoles, assign roles manually:
Intune admin center > Tenant administration > Roles > Select role > Assignments
- Blog post - imab.dk
- Planning for Remote Help with Microsoft Intune
- Role-based access control (RBAC) with Microsoft Intune
Martin Bengtsson - imab.dk