Defender for Endpoint on Domain Controllers and restricting control

PeterJoInobits, the first question is, are there more than 2 Global Admin's? If so, probably needs to be looked into, but that is not a topic that we will go into this forum. Yes, PIM + MFA should be used by Global Admin account, but also for other Identity accounts managing your infrastructure. You then would tag the Domain Controllers (DC's), and assign it to a "Device Group", which then you would assign a MDE RBAC "Security Group" for the SOC/IR folks that would be able to see, and/or investigate and/or remediate. Hope this helps, Yong