Assign roles and permissions for Microsoft Defender for Endpoint deployment
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
The next step when deploying Defender for Endpoint is to assign roles and permissions for the Defender for Endpoint deployment.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Role-based access control
Microsoft recommends using the concept of least privileges. Defender for Endpoint applies built-in roles within Microsoft Entra ID. Review the different roles available and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed.
Microsoft recommends using Privileged Identity Management to manage your roles to provide more auditing, control, and access review for users with directory permissions.
Defender for Endpoint supports two ways to manage permissions:
Basic permissions management: Set permissions to either full access or read-only. Users with a role, such as Security Administrator in Microsoft Entra ID have full access. The Security reader role has read-only access and doesn't grant access to view machines/device inventory.
Role-based access control (RBAC): Set granular permissions by defining roles, assigning Microsoft Entra user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control.
Microsoft recommends applying RBAC to ensure that only users that have a business justification can access Defender for Endpoint.
You can find details on permission guidelines here: Create roles and assign the role to a Microsoft Entra group.
Important
Starting February 16, 2025, new Microsoft Defender for Endpoint customers will only have access to the Unified Role-Based Access Control (URBAC). Existing customers keep their current roles and permissions. For more information, see URBAC Unified Role-Based Access Control (URBAC) for Microsoft Defender for Endpoint
The following example table serves to identify the Cyber Defense Operations Center structure in your environment that will help you determine the RBAC structure required for your environment.
| Tier | Description | Permissions required |
|---|---|---|
| Tier 1 | Local security operations team / IT team This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. |
View data |
| Tier 2 | Regional security operations team This team can see all the devices for their region and perform remediation actions. |
View data Alerts investigation Active remediation actions |
| Tier 3 | Global security operations team This team consists of security experts and is authorized to see and perform all actions from the portal. |
View data Alerts investigation Active remediation actions Manage portal system settings Manage security settings |
Next step
After assigning roles and permissions to view and manage Defender for Endpoint it's time for Step 3 - Identify your architecture and choose your deployment method.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.