Assign roles and permissions for Microsoft Defender for Endpoint deployment
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
The next step when deploying Defender for Endpoint is to assign roles and permissions for The Defender for Endpoint deployment.
Role-based access control
Microsoft recommends using the concept of least privileges. Defender for Endpoint leverages built-in roles within Microsoft Entra ID. Microsoft recommends review the different roles that are available and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.
| Personas | Roles | Microsoft Entra role (if necessary) | Assign to |
|---|---|---|---|
| Security Administrator | |||
| Security Analyst | |||
| Endpoint Administrator | |||
| Infrastructure Administrator | |||
| Business Owner/Stakeholder | |||
Microsoft recommends using Privileged Identity Management to manage your roles to provide additional auditing, control, and access review for users with directory permissions.
Defender for Endpoint supports two ways to manage permissions:
Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Microsoft Entra ID have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.
Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.
Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Defender for Endpoint.
You can find details on permission guidelines here: Create roles and assign the role to a Microsoft Entra group.
The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.
| Tier | Description | Permission Required |
|---|---|---|
| Tier 1 | Local security operations team / IT team This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. |
|
| Tier 2 | Regional security operations team This team can see all the devices for their region and perform remediation actions. |
View data |
| Tier 3 | Global security operations team This team consists of security experts and is authorized to see and perform all actions from the portal. |
View data Alerts investigation Active remediation actions Alerts investigation Active remediation actions Manage portal system settings Manage security settings |
Next step
After assigning roles and permissions to view and manage Defender for Endpoint it's time for Step 3 - Identify your architecture and choose your deployment method.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for