Forum Discussion

dewey's avatar
dewey
Copper Contributor
Nov 08, 2023

How to view Device Isolation status without the ability to modify isolation status

I'm looking for a way for our helpdesk to view if a device is isolated, but without giving them permissions to isolate or remove machines from isolation. Often when the helpdesk runs into networking issues they immediately suspect the device has been isolated by Defender for Endpoint, but because they are unable to check if a device is isolated they transfer the ticket to the security team to simply check the status, and then the security team often just ends up transferring the ticket back them once it is confirmed that the endpoint is not isolated, which delays troubleshooting had they just had the ability to check themselves in the first place and often causes troubleshooting to take much longer than necessary. 

 

Our organization has implemented the new Unified RBAC permissions for Microsoft 365 Defender and activated all workloads. I have everyone in our helpdesk assigned to a custom role which gives them read-only access for all areas of Defender (Security operations: All read-only permissions, Security posture: All read-only permissions, Authorization and settings: All read-only permissions).

 

The security team can go to the Microsoft 365 Defender portal, go to Devices, select a device, and then when going to the device action menu can choose to isolate (inferring it is not currently isolated), or we can remove from isolation (we infer it is already isolated); however, our helpdesk doesn't see these options in this menu because they have read-only access to the portal.

 

I considered the action center, but the helpdesk also doesn't have access with read-only access. On top of that, you can only see actions from the last six months, and so if a device was isolated more than 6 months ago you would also not be able to determine the devices' isolation status. 

 

I determined the commands required get a list of isolated machines using the API Explorer, which it does appear they have access to, but the helpdesk users don't get results whereas the security team does, so I concluded that they also have insufficient permissions for running this command:

GET https://api-us.securitycenter.microsoft.com/api/machineactions?$filter=type  eq 'Isolate'

 

Helpdesk users get the following response in the API explorer for running this GET command:

Success - Status code 200, 1345ms

...but the Response Body shows the value as empty brackets instead of a valid response:

"value": []

 

I checked the related documentation for the MachineActions API

List machineActions API | Microsoft Learn

This documentation describes how to assign permissions to an Enterprise App or App Registration, but not to an end-user.

API Explorer FAQ | Microsoft Learn

This other documentation states, "Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role."

 

Anyone have any other ideas how to view/list isolation status of endpoints for users with read-only permissions to the Defender portal?

  • You can try M365 Defender Custom roles, Security data basics (read) - this custom security data permission give required read access.

Resources