Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Device Groups not working as expected

Brass Contributor

Hello,

Added tags to some of our onboarded devices and created a device group to collect them together, all good.  Created a role in endpoints\Roles and assigned it to the device group and an AAD group.  Added a user to the AAD group and got them to log in expecting them to only see the devices in the Device Group, but alas no, they can see all of the devices in the inventory still, not as expected!!  Am i doing something wrong or are my expectations that the documentation isn't actually telling the true story coming to fruition??

TIA

Rob

12 Replies
@rob_wood_8894 make sure that the user is not a part of the "MDE administrator" group, and the user is also not a part of the AAD "Global administrator" or "Security Administrator" group. For more info:
Manage portal access using role-based access control
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Thanks,
Yong Rhee - MSFT
They aren't in any group or role apart from an AAD security group that is assigned to the device group. If i remove them from the AAD group they cannot see any devices in the inventory
@rob_wood_8894, when you go to Permissions-> Endpoints -> Roles, do you see: "Start using roles?
Role-based access control provides granular options for regulating permissions to portal features and data.


Users with read-only permissions will lose access to the portal until they are assigned one of the new roles through their Azure AD groups.

Users with admin permissions are automatically assigned the Microsoft Defender for Endpoint administrator role with full permissions.

Turn on roles"

or something else?

Thanks,
Yong Rhee - MSFT

@Yong Rhee I've followed all of the steps in the microsoft docs. So i have enabled roles and created a role to be assigned to the Device group, as per the docs.  I have created an AAD security group and assigned it to the Device group, as per the docs.  The device group has two endpoints as per the tagging.  When the user is not a member of the group they cannot see any endpoints in the portal.  When they are added to the AAD group they can see all of the endpoints in the portal.  I was expecting that they should be able to see the two endpoints that are in the device group, as per the docs.

@rob_wood_8894, RE: "they can see all of the devices in the inventory still, not as expected!!", if the end-user is a part AAD "Global administrator" or "Security Administrator" group, this is expected and by design. Now, if your end-user account is not a part of these groups, please open a Microsoft CSS support ticket for further investigation.
They are not in any admin groups, i'll raise a ticket

@Yong Rhee

rob_wood_8894_0-1660313327504.png

 

I suspect that this is the issue.  When you create a role to use in endpoint the default permission is 'Read Data'.  You cannot remove this permission.

 

OK, I now have the answer!
Every Device group you create has to have an assigned AAD group (for RBAC) including the Unassigned DG
Every AAD group has to be assigned to an MDE created Role
The AAD group can have zero members, e.g. when used with the Unassigned DG so no-one apart from Admins can see the inventory.

Thanks @rob_wood_8894 .It works

@Fhaddad81 

Good morning!

 

I came across this thread this morning. Thank you for raising this up to Microsoft. I am experiencing the exact same issue you described above and was hoping you could detail what you did to remediate the access issue. Seems my user is still seeing the entire inventory, so it appears one a step or two away from the resolution.

 

Thanks in advance for your time and assistance.

 

@tgo21 

 

Hello,

 

Every device group should be assigned with users group (AZ group) even the default one (ungrouped devices) so User group column on devices group should not be empty .

 

Best Regards

Fadi

 

@Fhaddad81 thank you so much! Ensuring the user group column is not blank solved my issue. I've been working with Microsoft on this for over 3 months. Thank you for solving our problem.

Have a great day!

 

Glenn