I'm reviewing an existing setup of M365 Defender and I would like confirmation of my understanding with regard to roles & permissions to access the portal and view the blades/sections. I do find this confusing as the portal doesn't seem to follow the "normal" AAD role model and the experience is further complicated with regard to the one-time setting for Endpoint section to Turn on roles.

I'm aware of the article - Manage access to Microsoft 365 Defender data in the Microsoft 365 Defender portal | Microsoft Docs
Which states that the following AAD roles have a level of access:

• Global administrator
• Security administrator
• Security Operator
• Global Reader
• Security Reader (least privilege for accessing M365 Defender portal and viewing data)

Another article describes a method for Endpoint which now also appears applicable for M365 Defender - Use role-based access control to grant fine-grained access to Microsoft 365 Defender portal | Micros...

So to summarise. If you want to follow a least privilege model and provide view-only only access to M365 Defender portal then if Endpoint Roles have not been turned on you can use Security Reader AAD Role. Once you turn on Endpoint roles then you need to create a custom role - don't use the custom role it is fair too encompassing.

1. Create a new AAD Role Group (one-time option at group creation) [Optional - but recommended]
2. Assign the new AAD Role Group to the AAD Role Security Reader (in PIM either eligible or active)
3. In M365 Defender as a Global Admin create a new role under "Permission & roles", leave the defaults on the General Tab as-is, only view data capabilities are checked
4. On the Assigned user groups, add the AAD Role Group created in step 1