Forum Discussion

Brass Contributor

Aug 09, 2022

Device Groups not working as expected

Hello, Added tags to some of our onboarded devices and created a device group to collect them together, all good. Created a role in endpoints\Roles and assigned it to the device group and an AAD gr...

rob_wood_8894

Brass Contributor

Aug 12, 2022

yongrheemsft I've followed all of the steps in the microsoft docs. So i have enabled roles and created a role to be assigned to the Device group, as per the docs. I have created an AAD security group and assigned it to the Device group, as per the docs. The device group has two endpoints as per the tagging. When the user is not a member of the group they cannot see any endpoints in the portal. When they are added to the AAD group they can see all of the endpoints in the portal. I was expecting that they should be able to see the two endpoints that are in the device group, as per the docs.

yongrheemsft

Microsoft

Aug 12, 2022

rob_wood_8894, RE: "they can see all of the devices in the inventory still, not as expected!!", if the end-user is a part AAD "Global administrator" or "Security Administrator" group, this is expected and by design. Now, if your end-user account is not a part of these groups, please open a Microsoft CSS support ticket for further investigation.

rob_wood_8894
Brass Contributor
Aug 12, 2022
They are not in any admin groups, i'll raise a ticket
- rob_wood_8894
  Brass Contributor
  Aug 12, 2022
  yongrheemsft
  
  I suspect that this is the issue. When you create a role to use in endpoint the default permission is 'Read Data'. You cannot remove this permission.
  - rob_wood_8894
    Brass Contributor
    Aug 23, 2022
    OK, I now have the answer!
    Every Device group you create has to have an assigned AAD group (for RBAC) including the Unassigned DG
    Every AAD group has to be assigned to an MDE created Role
    The AAD group can have zero members, e.g. when used with the Unassigned DG so no-one apart from Admins can see the inventory.