Prerequisites and support
This article describes the requirements and prerequisites for using Microsoft Security Exposure Management.
Security Exposure Management is currently in public preview.
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Permissions
Permissions are based on Microsoft Entra ID Roles. You need a tenant with at least one Global Admin or Security Admin to create a Security Exposure Management workspace.
- For full Security Exposure Management access, user roles need access to all Defender for Endpoint device groups.
- Users who have access restricted to some of the organization's device groups (and not to all), can:
- Access global exposure insights data.
- View affected assets under metrics, recommendations, events, and initiatives history only within users' scope
- View devices in attack paths that are within the users' scope
- Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups to which they have access
Permissions for Security Exposure Management tasks
For full access, users need one of the following Microsoft Entra ID roles:
- Global Admin (read and write permissions)
- Global Reader (read permissions)
- Security Admin (read and write permissions)
- Security Operator (read and limited write permissions)
- Security Reader (read permissions)
Permission levels are summarized in the table.
Action | Global Admin | Global Reader | Security Admin | Security Operator | Security Reader |
---|---|---|---|---|---|
Grant permissions to others | ✔ | - | - | - | - |
Onboard your organization to the Microsoft Defender External Attack Surface Management (EASM) initiative | ✔ | ✔ | ✔ | ✔ | ✔ |
Mark initiative as a favorite | ✔ | ✔ | ✔ | ✔ | ✔ |
Set initiative target score | ✔ | - | ✔ | - | - |
View general initiatives | ✔ | ✔ | ✔ | ✔ | ✔ |
Share metric/Recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
Edit metric weight | ✔ | - | ✔ | - | - |
Export metric (PDF) | ✔ | ✔ | ✔ | ✔ | ✔ |
View metrics | ✔ | ✔ | ✔ | ✔ | ✔ |
Export assets (metric/recommendation) | ✔ | ✔ | ✔ | ✔ | ✔ |
Manage recommendations | ✔ | - | ✔ | - | - |
View recommendations | ✔ | ✔ | ✔ | ✔ | ✔ |
Export events | ✔ | ✔ | ✔ | ✔ | ✔ |
Change criticality level | ✔ | - | ✔ | ✔ | - |
Set critical asset rule | ✔ | - | ✔ | - | - |
Create criticality rule | ✔ | - | ✔ | - | - |
Turn criticality rule on/off | ✔ | - | ✔ | ✔ | - |
Run a query on exposure graph data | ✔ | ✔ | ✔ | ✔ | ✔ |
Browser requirements
You can access Security Exposure Management in the Microsoft Defender portal using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
Critical asset classification
Before you start, learn about critical asset management in Security Exposure Management.
Review required permissions for working with the critical assets.
When classifying critical assets, we support devices running version 10.3740.XXXX of the Defender for Endpoint sensor or later. We recommended running a more recent sensor version, as listed on the Defender for Endpoint What's New page.
You can check which sensor version a device is running as follows:
On a specific device, browse to the MsSense.exe file in C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select Properties. On the Details tab, check the file version.
For multiple devices, it's easier to run an advanced hunting Kusto query to check device sensor versions, as follows:
DeviceInfo | project DeviceName, ClientVersion
Getting support
To get support, select the Help question mark icon in the Microsoft Security toolbar.
You can also engage with the Microsoft Tech community.