Forum Discussion
role needed to view devices inventory in Defender
Hello, I'm a global admin for my organization and was recently asked to provide read only access to a manager in Defender. He is mainly interested in viewing the devices inventory in the security...
- Are you using the MDE RBAC in your environment?
If so, read-only roles are no longer valid for MDE, so you will need to give him a role in MDE as well.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Also check if device groups have security groups assigned for user access.
If a device group has a security groups assigned, only users that are part of these security groups will be able to see those devices.
Are you using the MDE RBAC in your environment?
If so, read-only roles are no longer valid for MDE, so you will need to give him a role in MDE as well.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Also check if device groups have security groups assigned for user access.
If a device group has a security groups assigned, only users that are part of these security groups will be able to see those devices.
If so, read-only roles are no longer valid for MDE, so you will need to give him a role in MDE as well.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Also check if device groups have security groups assigned for user access.
If a device group has a security groups assigned, only users that are part of these security groups will be able to see those devices.
Jonhed Thanks for the reply. I verified and we do not have RBAC activated so that must be the reason security reader no longer grants that ability. I will have to discuss it with our security team if we want to enable it.
Actually, if you do not have the RBAC enabled, my understanding is that reader roles should work.
Though, after having an additional look at the docs below, security reader might be the only role that works.
You mentioned giving global reader, so maybe try to assign security reader as well?
If this does not work, I would raise an SR with microsoft to check if RBAC (or the lack of) can be the reason.
