Mar 25 2022 03:56 AM
I'm reviewing an existing setup of M365 Defender and I would like confirmation of my understanding with regard to roles & permissions to access the portal and view the blades/sections. I do find this confusing as the portal doesn't seem to follow the "normal" AAD role model and the experience is further complicated with regard to the one-time setting for Endpoint section to Turn on roles.
AAD Role | Endpoint Roles Enablement | Experience |
None - stand user | Not Turned On | Access the portal but with limited visibility. Permission & roles |
Security Reader Role assigned in AAD | Not Turned On | Access to virtually all of the portal but limited to viewing |
Security Reader Role assigned in AAD | Turned On | Access to the portal but loss of access to much of the data especially in the Endpoint area |
I'm aware of the article - Manage access to Microsoft 365 Defender data in the Microsoft 365 Defender portal | Microsoft Docs
Which states that the following AAD roles have a level of access:
Another article describes a method for Endpoint which now also appears applicable for M365 Defender - Use role-based access control to grant fine-grained access to Microsoft 365 Defender portal | Micros...
So to summarise. If you want to follow a least privilege model and provide view-only only access to M365 Defender portal then if Endpoint Roles have not been turned on you can use Security Reader AAD Role. Once you turn on Endpoint roles then you need to create a custom role - don't use the custom role it is fair too encompassing.