I'm reviewing an existing setup of M365 Defender and I would like confirmation of my understanding with regard to roles & permissions to access the portal and view the blades/sections. I do find this confusing as the portal doesn't seem to follow the "normal" AAD role model and the experience is further complicated with regard to the one-time setting for Endpoint section to Turn on roles.
|AAD Role||Endpoint Roles Enablement||Experience|
|None - stand user||Not Turned On|
Access the portal but with limited visibility.
Email and & Collaboration
Policies & rules
Permission & roles
|Security Reader Role assigned in AAD||Not Turned On|
Access to virtually all of the portal but limited to viewing
|Security Reader Role assigned in AAD||Turned On|
Access to the portal but loss of access to much of the data especially in the Endpoint area
I'm aware of the article - Manage access to Microsoft 365 Defender data in the Microsoft 365 Defender portal | Microsoft Docs
Which states that the following AAD roles have a level of access:
- Global administrator
- Security administrator
- Security Operator
- Global Reader
- Security Reader (least privilege for accessing M365 Defender portal and viewing data)
Another article describes a method for Endpoint which now also appears applicable for M365 Defender - Use role-based access control to grant fine-grained access to Microsoft 365 Defender portal | Micros...
So to summarise. If you want to follow a least privilege model and provide view-only only access to M365 Defender portal then if Endpoint Roles have not been turned on you can use Security Reader AAD Role. Once you turn on Endpoint roles then you need to create a custom role - don't use the custom role it is fair too encompassing.
- Create a new AAD Role Group (one-time option at group creation) [Optional - but recommended]
- Assign the new AAD Role Group to the AAD Role Security Reader (in PIM either eligible or active)
- In M365 Defender as a Global Admin create a new role under "Permission & roles", leave the defaults on the General Tab as-is, only view data capabilities are checked
- On the Assigned user groups, add the AAD Role Group created in step 1