Deploying Remote Assist using a shared identity across multiple users
This article contains high-level steps involved in deploying Remote Assist using shared Azure AD identity across multiple users. The guidance provided in this document focuses on provisioning Azure AD user accounts, assigning required licenses and HoloLens 2 device configuration for a shared device environment. For more detailed scenario-based deployment guidance, refer to [Common Deployment Scenarios](hololens-requirements.md).
HoloLens, shared device, deployment
Deploying Remote Assist using a shared identity across multiple users
This article contains high-level steps involved in deploying Remote Assist using shared Azure AD identity across multiple users. The guidance provided in this document focuses on provisioning Azure AD user accounts, assigning required licenses and HoloLens 2 device configuration for a shared device environment. For more detailed scenario-based deployment guidance, refer to Common Deployment Scenarios.
1. Azure AD Accounts
Create Azure AD security groups and shared Azure AD user accounts to be used to log in to HoloLens 2 devices.
- Login to Azure AD admin center as Azure AD Global Administrator.
- Navigate to New Group admin center blade and create an Azure AD Security Group to manage the HoloLens 2 shared user accounts. See Create a basic group and add members for step-by-step instructions.
- Navigate to New user - Azure Active Directory admin center blade and create new user accounts to be shared by multiple people to log in to the HoloLens 2 device. One Azure AD user account per HoloLens 2 device is recommended. For step-by-step instructions, see Add or delete users.
- Navigate to Groups - Azure Active Directory admin center, select the Azure AD security group name -> Members -> + Add members and add the above user accounts to the security group. For step-by-step instructions, see Add or remove group members.
2. License Assignments
Assign required licenses to the Azure AD user accounts.
You can assign licenses required to use Dynamics 365 Remote Assist on HoloLens 2 to a user or user group. To assign licenses to a user group, follow Assign licenses to a group step-by-step guide to assign the following licenses. To assign licenses to a user follow Assign licenses to users step-by-step guide to assign the following licenses.
- Dynamics 365 Remote Assist
- Microsoft Teams
- Common Data Service for Remote Assist
For more information, see Requirements for Dynamics 365 Remote Assist.
To manage HoloLens 2 using Microsoft Endpoint Manager (Intune), follow Assign Microsoft Intune licenses step-by-step guide to assign the following licenses.
- Microsoft Intune
To use advanced capabilities of Remote Assist, like accessing OneDrive files, scheduling one-time call, and integrating with Dynamics 365 Field Service you must assign another licenses to the HoloLens 2 user accounts. For more information, see Requirements for Dynamics 365 Remote Assist.
[!NOTE] For more information, see Scenarios, limitations, and known issues using groups to manage licensing in Azure Active Directory.
3. Device Configuration
To share HoloLens 2 devices with multiple people using shared Azure AD user accounts, configure the following to secure user credentials and restrict apps to be used by the HoloLens 2 users. Follow Set up your HoloLens 2 to set up the HoloLens 2 devices for first time, using the shared Azure AD user accounts created in Azure AD Accounts section above. Use one Azure AD user account per HoloLens 2 device. During HoloLens 2 initial setup skip IRIS login configuration and configure Windows Hello PIN to log in into the device (see more details below).
Use Windows Hello PIN to log in to HoloLens 2 devices. Do not share shared account passwords with end users. Configuring Windows Hello PIN allows you to not share the user account password with end users and allows end users to log in to HoloLens 2 devices using Windows Hello PIN configured for the user account on a specific HoloLens 2 device. The configured Windows Hello PIN is cryptographically tied to the HoloLens 2 device and cannot be used to log in to the user account using a browser on a PC or on a different HoloLens 2 device.
For more information, see Share your HoloLens with multiple people.
You can also use AutoLogonUser policy to automatically log in to the device with an identity tied to that device. This bypasses the HoloLens 2 login experience, and the user will be able to pick up the device and start using the device straight away. For more information, see Auto login policy controlled by CSP.
For shared HoloLens 2 devices, Kiosk mode is recommended to control which applications are shown in Start menu when a user signs-in to HoloLens. By just allowing only required apps like Remote Assist, you can restrict users signing into the user account settings page using Edge browser by SSO and access user account details inside HoloLens 2 device.
If you use Microsoft Endpoint Manager (Intune) to manage the devices
If you use Provisioning Packages to manage the devices
Use Windows Configuration Designer to configure and deploy single or multiple app kiosk mode provisioning packages. For more information, see Set up HoloLens as a kiosk.
Windows Defender Application Control (WDAC)
WDAC allows you to configure HoloLens to block the launch of apps. It is different from the Kiosk mode, where the UI hides the apps but they can still be launched. With WDAC, you can see the apps tile but they cannot be launched. For more information, see Windows Defender Application Control (WDAC).
Using shared Azure AD account has the following limitations (including but not limited to):
- Identity – Users cannot use IRIS to sign in on the HoloLens 2 device and are unable to access their work account related content in Microsoft 365.
- Caller ID / Contacts – Accessing a user’s personal contacts list / most recently called contacts is not possible, and caller ID will show the shared account name rather than the user’s name.
- User-Based Workflows – It is not possible to use the advanced integrations with field service, as the user being “assigned” work items, is not the user signed into Remote Assist.
- PIN Sharing – As IRIS sign-in is not possible, Windows Hello PIN number must be shared between the users.
Using shared Azure AD account poses the following issues to be addressed (including but not limited to):
- Lack of accountability – With a shared account, there is no way to prove who has used the device, and what was done with the device.
- Lack of auditing – Audit records will be incomplete, and in the event of an incident, it could be impossible to identify the user.
- Lacks individual tracking / analytics.
- Permissions – Advanced permissions cannot be done on a shared account basis.
- MFA ownership – multifactor authentication (MFA) should be owned by a central authority for shared accounts.
- PIN reset – When PIN needs to be reset and knowledge as to who owns the MFA on the devices is challenging.
You must review and make changes to the following Azure AD settings (including but not limited to) when you want to use shared Azure AD user accounts. When enabling and disabling the following Azure AD settings, extreme care should be taken to make sure that changing theses settings does not cause any issues for existing and new user accounts.
- Review Administrator Portal access setting in Users | User Settings blade.
- Review App Registrations setting in Users | User Settings blade.
- Review Linked account connections setting in Users | User Settings blade.
- Review User features setting in Users | User features blade.
- Review Self-service password reset setting in Password reset | Properties blade.
- Review Join devices to Azure AD setting in Devices | Device settings blade.
- Review Enterprise State Roaming setting in Devices | Enterprise State Roaming blade.
[!WARNING] Do NOT share, shared account passwords with end users. End users should always use Azure AD account name and associated Windows Hello PIN or use auto login feature to login to HoloLens 2 devices in a shared environment.