Prerequisites and support

This article describes the requirements and prerequisites for using Microsoft Security Exposure Management.

Security Exposure Management is currently in public preview.


Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.


Permissions are based on Microsoft Entra ID RBAC. You need a tenant with at least one Global Admin or Security Admin to create a Security Exposure Management workspace.

  • For full Security Exposure Management access, user roles need access to all Defender for Endpoint device groups.
  • Users who have access restricted to specific device groups can:
    • Access global exposure insights data. They can't access specific device information and attack paths
    • Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups to which they have access.

Permissions for Security Exposure Management tasks

For full access, users need one of the following Microsoft Entra ID roles:

  • Global Admin (read and write permissions)
  • Global Reader (read permissions)
  • Security Admin (read and write permissions)
  • Security Operator (read and limited write permissions)
  • Security Reader (read permissions)

Permission levels are summarized in the table.

Action Global Admin Global Reader Security Admin Security Operator Security Reader
Grant permissions to others - - - -
Onboard your organization to the Microsoft Defender External Attack Surface Management (EASM) initiative
Mark initiative as a favorite
Set initiative target score - - - -
View general initiatives
Share metric/Recommendations
Edit metric weight - - - -
Export metric (PDF)
View metrics
Export assets (metric/recommendation)
Manage recommendations - - -
View recommendations
Export events
Change criticality level
Set critical asset rule - - - -
Create criticality rule - - -
Turn criticality rule on/off - -
Run a query on exposure graph data

Browser requirements

You can access Security Exposure Management in the Microsoft Defender portal using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.

Critical asset classification

  • Before you start, learn about critical asset management in Security Exposure Management.

  • Review required permissions for working with the critical assets.

  • When classifying critical assets, we support devices running version 10.3740.XXXX of the Defender for Endpoint sensor or later. We recommended running a more recent sensor version, as listed on the Defender for Endpoint What's New page.

    You can check which sensor version a device is running as follows:

    • On a specific device, browse to the MsSense.exe file in C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select Properties. On the Details tab, check the file version.

    • For multiple devices, it's easier to run an advanced hunting Kusto query to check device sensor versions, as follows:

      DeviceInfo | project DeviceName, ClientVersion

Getting support

To get support, select the Help question mark icon in the Microsoft Security toolbar.

Screenshot of the Microsoft Defender security portal Help button in the portal header bar.

You can also engage with the Microsoft Tech community.

Next steps

Start using Microsoft Security Exposure Management.