Forum Discussion
Restricting Access to Device Groups (or similar)
We have some devices that should be managed by a different team. The will need to be able to create policies in intune, so they will need access to information like risk level (for compliance policies) and they need to work on issues like "Fix Microsoft Defender for Endpoint impaired communications in macOS". We are using the "Microsoft Defender XDR permissions model".
What I want to accomplis is: To restrict this team in a way that they cannot see the "device timeline" on devices that are not managed by them, because that does contain information about document file names.
In a perfect world, I would be able to grant the Security Administrator role to the Entra security group that defines that team with a filter to only show information regarding a specific Entra device group.
Unfortunately, I cannot find a way to do that.
Is there a way to restrict the devices a person can see after adding the user to the Security Administrator role? Or is there a way to hide the timeline from such a user, but still letting the user see the Inventories (software, vulnerbilities), see the status of the devices they manage in defender and create / update policies in defender?
- rahuljindal-MVPBronze ContributorSounds like custom rba access against device groups in defender. Have you tried it yet?