Security Microsoft Defender for Endpoint Roles and Device Group Access

In this article of the Defender series, I would like to discuss about the MDE RBAC to reflect the least access principal.

This will cover the Roles for MDE and Device Group Access

As you may know the Least Privileged Access principal is in play for MDE as for any other M365/ Azure resource.

Defining the roles and who has access in essential before you move with the product. This means not everyone will get the highest privileges. There can be other IT Teams that needs only to view data and report etc.

You must be a Global Administrator or a Security Administrator to access the MDE portion of the portal.

However those 2 main admins will be able to activate ad create roles in the MDE it self as there can be other teams that needs to access the portal.

How to enable Roles?

In the M365 Defender Portal, go to Settings > Endpoints > Go to Roles under Permissions

You will see below. Click on Roles

Once the Roles are activated you can now add them below

You can leave the Administrator role as it as and start adding the roles as below from Add Item option

Hover over the features to see what’s covered with every feature

Once you have selected the options, go to the next tab Assigned user groups

Select the group below and add ad press Save

Setup Device Group Access

Device group access defines which admin groups will get to access the device groups specified in the MDE.

Device groups will be discussed a bit later, but I will touch base them.

In Endpoints, go to Device Groups under Permissions

Click on a device group and if you go to User Access Tab, now you can define which user groups has access to manage the devices.

The user groups that are in the User Access list are the groups that were defined under Roles

So basically this goes hand in hand as the user groups should be able to access the Devices in order to investigate issues

Check the below screenshot You will see the same user group we added earlier which is now available to give access to this device group

At this stage you have successfully defined the RBAC roles and provided Device Group permissions and safely advise the teams to start using them.


One thought on “Security Microsoft Defender for Endpoint Roles and Device Group Access

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.