Forum Discussion

esanya2280's avatar
esanya2280
Copper Contributor
Jul 09, 2025
Solved

Unable to view certain defender alerts

Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We obser...
accessibility
  • vimal_raj1984hotmail's avatar
    vimal_raj1984hotmail
    Sep 07, 2025

    The Root Cause: Device Group RBAC

    Microsoft Defender XDR allows administrators to create Device Groups and then assign user roles to those specific groups. This is a powerful feature for large organizations where you might want to restrict security analysts to only view and manage devices in their specific business unit, geographical location, or department.

    Here's the logic:

    1. Alerts are Tied to Devices: Every alert in Defender XDR is associated with one or more devices.
    2. Access to an Alert Depends on Access to the Device: If you do not have permission to view the device(s) associated with an alert, the Defender portal will block you from viewing the alert's details, even if you have a direct link.
    3. The Error Message: The portal generates the "You can't access this section" error because your user account is not part of a role that has been granted access to the Device Group containing the device in that specific alert.

    The reason you can see other XDR alerts is that those alerts are associated with devices that fall into a Device Group you do have access to (or devices that are not in any restricted group, which fall under a default access level).

    How to Verify and Fix This

    You will need to work with a Global Administrator or a Security Administrator in your organization who has full permissions in the Microsoft Defender portal. They can check and modify the RBAC settings.

    Here are the steps for your administrator to follow:

    Step 1: Identify the Device Group for the Inaccessible Alert

    1. Since you can't see the alert in the portal, you need to use the Graph API data you already have.
    2. In the JSON output for the inaccessible alert, find the deviceDnsName or deviceId of the device associated with the alert.
    3. Ask your administrator to go to the Defender portal.
    4. Navigate to Settings > Endpoints > Permissions > Device Groups.
    5. The administrator needs to review the list of Device Groups. Each group is defined by rules (e.g., based on device name, tag, or OS). They need to check which group the problematic device belongs to. For example, a group might be defined for all devices tagged "Finance" or with names starting with "CORP-".

    Step 2: Check the Roles Assigned to that Device Group

    1. Once the administrator identifies the Device Group, they should click on it to see its details.
    2. Inside the Device Group's settings, there is a section that shows which Azure AD user groups are assigned to it.
    3. The administrator will likely find that the Azure AD group your user account belongs to is not on the list for that specific Device Group. This is the confirmation of the root cause.

    Step 3: Grant the Necessary Permissions

    The administrator has two main options to fix this:

    • Option A (Recommended): Add Your User Group to the Existing Device Group
      • The administrator can edit the Device Group and add the appropriate Azure AD user group (the one your account is in) to the list of roles with access. This grants you and your team permission to view alerts and details for all devices in that group.
    • Option B: Move the Device to a Different Group
      • If the device is incorrectly categorized, the administrator can change the device's properties (e.g., its tags) so that it moves into a different Device Group that you already have access to. This is more of a data correction task.

     

vimal_raj1984hotmail's avatar
vimal_raj1984hotmail
MCT
Sep 07, 2025

The Root Cause: Device Group RBAC

Microsoft Defender XDR allows administrators to create Device Groups and then assign user roles to those specific groups. This is a powerful feature for large organizations where you might want to restrict security analysts to only view and manage devices in their specific business unit, geographical location, or department.

Here's the logic:

  1. Alerts are Tied to Devices: Every alert in Defender XDR is associated with one or more devices.
  2. Access to an Alert Depends on Access to the Device: If you do not have permission to view the device(s) associated with an alert, the Defender portal will block you from viewing the alert's details, even if you have a direct link.
  3. The Error Message: The portal generates the "You can't access this section" error because your user account is not part of a role that has been granted access to the Device Group containing the device in that specific alert.

The reason you can see other XDR alerts is that those alerts are associated with devices that fall into a Device Group you do have access to (or devices that are not in any restricted group, which fall under a default access level).

How to Verify and Fix This

You will need to work with a Global Administrator or a Security Administrator in your organization who has full permissions in the Microsoft Defender portal. They can check and modify the RBAC settings.

Here are the steps for your administrator to follow:

Step 1: Identify the Device Group for the Inaccessible Alert

  1. Since you can't see the alert in the portal, you need to use the Graph API data you already have.
  2. In the JSON output for the inaccessible alert, find the deviceDnsName or deviceId of the device associated with the alert.
  3. Ask your administrator to go to the Defender portal.
  4. Navigate to Settings > Endpoints > Permissions > Device Groups.
  5. The administrator needs to review the list of Device Groups. Each group is defined by rules (e.g., based on device name, tag, or OS). They need to check which group the problematic device belongs to. For example, a group might be defined for all devices tagged "Finance" or with names starting with "CORP-".

Step 2: Check the Roles Assigned to that Device Group

  1. Once the administrator identifies the Device Group, they should click on it to see its details.
  2. Inside the Device Group's settings, there is a section that shows which Azure AD user groups are assigned to it.
  3. The administrator will likely find that the Azure AD group your user account belongs to is not on the list for that specific Device Group. This is the confirmation of the root cause.

Step 3: Grant the Necessary Permissions

The administrator has two main options to fix this:

  • Option A (Recommended): Add Your User Group to the Existing Device Group
    • The administrator can edit the Device Group and add the appropriate Azure AD user group (the one your account is in) to the list of roles with access. This grants you and your team permission to view alerts and details for all devices in that group.
  • Option B: Move the Device to a Different Group
    • If the device is incorrectly categorized, the administrator can change the device's properties (e.g., its tags) so that it moves into a different Device Group that you already have access to. This is more of a data correction task.

 

Resources