Share via

How can I assign granular RBAC rights to Defender EASM Azure Resource

Sascha Reuter 10 Reputation points
2025-02-04T14:35:44.97+00:00

When creating a Defender EASM Resource in Azure, there is no possibility to granularly assign RBAC Roles to this resource. In the Defender EASM Portal the "IAM" Section is missing for role assignment.

However in order to create the resource you need to be at least Contributor or Owner. This mean any admin that needs to administer Defender EASM also needs at least contributor rights on the RG.

This is does not reflect the least privilege principle, as I might want an admin to administer EASM in the RG, but not be able to create other resources in the RG.

Is there any solution to this to assign rights just for management of EASM without having to grant contributor rights on RG Level?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
879 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Divyesh Govaerdhanan 1,200 Reputation points
    2025-02-04T15:21:37.6833333+00:00

    Hello @Sascha Reuter,

    Welcome to Microsoft Q&A,

    Currently, Microsoft does not support granular roles for Defender EASM resources, but you can create a custom role with EASM permissions.

    User's image

    You can assign this custom role to the users, who will be able to access only the EASM features.

    Please upvote and accept the answer if it helps!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.