Forum Discussion
role needed to view devices inventory in Defender
Hello,
I'm a global admin for my organization and was recently asked to provide read only access to a manager in Defender. He is mainly interested in viewing the devices inventory in the security portal. I assigned the role of security reader but he reported he he was not able to see it. I then assigned the role of global reader yet still he reported not being able to see it. I am not sure why he is not able to see the devices option, I don't want to assign the security admin role unless really necessary. Any thoughts on what could be happening? Thanks!
- Are you using the MDE RBAC in your environment?
If so, read-only roles are no longer valid for MDE, so you will need to give him a role in MDE as well.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Also check if device groups have security groups assigned for user access.
If a device group has a security groups assigned, only users that are part of these security groups will be able to see those devices.
5 Replies
- Are you using the MDE RBAC in your environment?
If so, read-only roles are no longer valid for MDE, so you will need to give him a role in MDE as well.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Also check if device groups have security groups assigned for user access.
If a device group has a security groups assigned, only users that are part of these security groups will be able to see those devices.Actually, if you do not have the RBAC enabled, my understanding is that reader roles should work.
Though, after having an additional look at the docs below, security reader might be the only role that works.
You mentioned giving global reader, so maybe try to assign security reader as well?
If this does not work, I would raise an SR with microsoft to check if RBAC (or the lack of) can be the reason.
- I've seen it already in some tenants. What license have you got and have you ever migrated or downgraded/upgraded your MDE Plan - for example from MDE Plan 2 to Defender for Business.
Kris_Deb_e2e Thanks for the reply. I am not sure what MDE plan we have, looking at our licensing it only shows MDE for endpoint server and we have an MS365 E5 license which includes MS365 Defender. I am more of a O365 admin dealing mainly with Intune, Exchange and AAD.
