Creating and managing delegated access as a Managed Security Service Provider (MSSP) is an essential business requirement. But the overhead of granting, controlling, and auditing access into...
Updated Aug 10, 2020
Version 9.0
Blog Post
Dean_Gross, I just worked in the question, and from my understanding this is not possible with other M365 Defender services (i.e. Defender for Office, Defender for Identity, MCAS).
The short explanation is : Identity Governance actually adds users to groups, which have permissions on MDE, because MDE allows per-group role assignment. Other M365 services don't allow per-group role assignement.
The long explanation is :
- Defender for Endpoint (MDE) allows administrators to manage roles on a per-group basis. Consider this use case: from MDE, we give a specific role to the Tier 1 Analyst group. This role is made of some MDE permissions such as Active remediation actions. Then, when a new SOC analyst requests access to the https://myaccess.microsoft.com/@%3CCustomer[customerTenantId] URL (thanks to Identity Governance), they are actually added to the Tier 1 Analyst group as a guest user. This is the equivalent of manually inviting a guest user from the Azure portal, and assigning them to the Tier 1 Analyst group.
- Other M365 Defender services only allow administrators to manage roles on a per-user basis. Thus, using the Identity Governance doesn't make sense : it would automatically add users to a specific group, but this would not give users any permissions on MCAS, Defender for Office or Defender for Identity.
Maybe there is another way of leveraging Identity Governance, but as far as I know, there is not.