Assign roles and permissions for Microsoft Defender for Endpoint deployment

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

The next step when deploying Defender for Endpoint is to assign roles and permissions for The Defender for Endpoint deployment.

Role-based access control

Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. Microsoft recommends review the different roles that are available and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.

Personas Roles Microsoft Entra role (if necessary) Assign to
Security Administrator
Security Analyst
Endpoint Administrator
Infrastructure Administrator
Business Owner/Stakeholder

Microsoft recommends using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.

Defender for Endpoint supports two ways to manage permissions:

  • Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.

  • Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.

Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.

You can find details on permission guidelines here: Create roles and assign the role to a Microsoft Entra group.

The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.

Tier Description Permission Required
Tier 1 Local security operations team / IT team

This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.

Tier 2 Regional security operations team

This team can see all the devices for their region and perform remediation actions.

View data
Tier 3 Global security operations team

This team consists of security experts and is authorized to see and perform all actions from the portal.

View data

Alerts investigation Active remediation actions

Alerts investigation Active remediation actions

Manage portal system settings

Manage security settings

Next step

After assigning roles and permissions to view and manage Defender for Endpoint it's time for Step 3 - Identify your architecture and choose your deployment method.


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.