Defender for Endpoint permission for part of Devices


An automation should be able to flag all windows 10 machines in defender for endpoint (only some selected should be flagged, depending on "things")

As it is an automation, we use app registration for permission management.


I gave the permission Machine.ReadWrite.All - This works, but I could also flag other machines. So the question is, how can I restrict permissions to Windows 10 machines?


It seems to be possible with device groups - but it also seems, that device groups are not intended to do that.


Any suggestions / ideas?


thanks in advance!

3 Replies

Hi @Patrick Wahlmüller 

According to the docs here ( M365 Defender - List Machines API ) you should be able to pull the osPlatform alongside any attributes you may be using to filter in your automations.


Perhaps you could use this initial "list machines" request to create a set of the Device ID's that meet your constraints and then run the rest of your automation on each device in the resulting set? or something like that..





Hi @DylanInfosec ,
Thanks - and yes you can do that in the script.
I wanted to know, if I can give permission to the app registration, so there is only the permission to change allowed maschines.
I think this is not possible.
I see. Yeah that’d be interesting, almost like a per-object access.
TBH the coffee isn’t brewed yet but thinking out loud. Could you create an identity just for this task that has access to only a specific Device Group that contains the desired devices?? Then for the automation use this identity with delegated access?