Assign roles and permissions for Microsoft Defender for Endpoint deployment

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

The next step when deploying Defender for Endpoint is to assign roles and permissions for the Defender for Endpoint deployment.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Role-based access control

Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. Review the different roles available and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.

Microsoft recommends using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Set permissions to either full access or read-only. Users with a role, such as Security Administrator in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.

  • Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.

Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.

You can find details on permission guidelines here: Create roles and assign the role to a Microsoft Entra group.

The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.

Tier Description Permissions required
Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
View data
Tier 2 Regional security operations team

This team can see all the devices for their region and perform remediation actions.
View data

Alerts investigation

Active remediation actions

Tier 3 Global security operations team

This team consists of security experts and is authorized to see and perform all actions from the portal.
View data

Alerts investigation

Active remediation actions

Manage portal system settings

Manage security settings

Next step

After assigning roles and permissions to view and manage Defender for Endpoint it's time for Step 3 - Identify your architecture and choose your deployment method.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.