Forum Discussion
Device Groups not working as expected
MicrosoftRole-based access control provides granular options for regulating permissions to portal features and data.
î
Users with read-only permissions will lose access to the portal until they are assigned one of the new roles through their Azure AD groups.
Users with admin permissions are automatically assigned the Microsoft Defender for Endpoint administrator role with full permissions.
Turn on roles"
or something else?
Thanks,
Yong Rhee - MSFT
yongrheemsft I've followed all of the steps in the microsoft docs. So i have enabled roles and created a role to be assigned to the Device group, as per the docs. I have created an AAD security group and assigned it to the Device group, as per the docs. The device group has two endpoints as per the tagging. When the user is not a member of the group they cannot see any endpoints in the portal. When they are added to the AAD group they can see all of the endpoints in the portal. I was expecting that they should be able to see the two endpoints that are in the device group, as per the docs.
- yongrheemsftrob_wood_8894, RE: "they can see all of the devices in the inventory still, not as expected!!", if the end-user is a part AAD "Global administrator" or "Security Administrator" group, this is expected and by design. Now, if your end-user account is not a part of these groups, please open a Microsoft CSS support ticket for further investigation.
- They are not in any admin groups, i'll raise a ticket
I suspect that this is the issue. When you create a role to use in endpoint the default permission is 'Read Data'. You cannot remove this permission.