Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. Microsoft recommends review the different roles that are available and choose the right one to solve your needs for each persona for this application.
Defender for Endpoint supports two ways to manage permissions.
- Basic permissions management: Set permissions to either full access or read-only.
- Full access - Global Administrator, Security Administrator
- Read only access - Global reader, Security Reader (doesn't have access to view machines/device inventory.)
- Role-based access control (RBAC): Set granular permissions by defining roles,
- Assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups.
Note: Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.
Role-based access control (RBAC):
Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls.
- Control who can take specific action
- Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
- Control who can see information on specific device group or groups.
- Create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Microsoft Entra user group.
The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.
Example:
Step by Step:
- Enable role based permissions on Defender for Endpoint
- Go to Endpoint portal > Settings > Roles > Turn on
- Create a Azure AD security group and Add required members
- Go to Defender for Endpoint portal > Settings > Endpoints > Roles under permissions
- Add role > Provide Specific Name > Configure permissions as required
- Select the created security group in Azure AD > Add selected group
- Submit
- Optional: Additionally, if you want to block accessing devices by other users, Could create a device group and target the security group created in Azure AD.
- Go to Defender for Endpoint portal > Settings > Endpoints > Device groups under permissions
- Add device group > Specify device group name
- Specify remediation level
- No automate response
- Semi - require approvals for all folders
- Semi - require approvals for non-temp folders
- Semi - require approvals for core folders
- Full - remediate treats automatically
- Specify the matching rule that determines which devices belong to this group > Preview devices
- Select the Azure AD security group created
- Complete the wizard.
References:
Thank You!