In this article of the Defender series, I would like to discuss about the MDE RBAC to reflect the least access principal.
This will cover the Roles for MDE and Device Group Access
As you may know the Least Privileged Access principal is in play for MDE as for any other M365/ Azure resource.
Defining the roles and who has access in essential before you move with the product. This means not everyone will get the highest privileges. There can be other IT Teams that needs only to view data and report etc.
You must be a Global Administrator or a Security Administrator to access the MDE portion of the portal.
However those 2 main admins will be able to activate ad create roles in the MDE it self as there can be other teams that needs to access the portal.
How to enable Roles?
In the M365 Defender Portal, go to Settings > Endpoints > Go to Roles under Permissions
You will see below. Click on Roles
Once the Roles are activated you can now add them below
You can leave the Administrator role as it as and start adding the roles as below from Add Item option
Hover over the features to see what’s covered with every feature
Once you have selected the options, go to the next tab Assigned user groups
Select the group below and add ad press Save
Setup Device Group Access
Device group access defines which admin groups will get to access the device groups specified in the MDE.
Device groups will be discussed a bit later, but I will touch base them.
In Endpoints, go to Device Groups under Permissions
Click on a device group and if you go to User Access Tab, now you can define which user groups has access to manage the devices.
The user groups that are in the User Access list are the groups that were defined under Roles
So basically this goes hand in hand as the user groups should be able to access the Devices in order to investigate issues
Check the below screenshot You will see the same user group we added earlier which is now available to give access to this device group
At this stage you have successfully defined the RBAC roles and provided Device Group permissions and safely advise the teams to start using them.