Microsoft Defender for Endpoint – Permission Model (Part 3)
About this part
In the previous section, we reviewed the basic configuration options for Microsoft Defender for Endpoint. In this section, we will examine permission management approaches, demonstrating how administrators and Security Operations Center team members can access the Microsoft Defender for Endpoint service.
Introduction
Access control is one of the most important components of any security solution. When configuring access, it is recommended to apply the principle of least privilege, which ensures that each user is granted only the permissions necessary to perform their tasks.
Microsoft Defender for Endpoint is no exception. The solution supports two different permission management models:
- Microsoft Entra ID Permission model (Built-in and Custom roles)
- Defender XDR Role-based access control
By default, Microsoft Defender XDR, including the Microsoft Defender for Endpoint service, uses Microsoft Entra ID roles to manage access. If needed, this model can be switched later to Defender XDR’s own RBAC solution.
Microsoft Entra ID Roles
As mentioned earlier, Microsoft Defender for Endpoint uses Microsoft Entra ID roles by default to manage access. These can be built-in or custom roles.
The most important built-in roles for Defender for Endpoint are as follows:
| Permissions name | Permission in Defender for Endpoint |
| Global Administrator | Full access |
| Security Administrator | Full access |
| Global Reader | Read-only access |
| Security Reader | Read-only access |
The roles listed above automatically inherit the necessary permissions in Microsoft Defender for Endpoint, thereby providing access to the service without requiring any additional configuration.
Microsoft Defender RBAC
Now that we’ve reviewed Microsoft Entra ID-based access management, let’s take a look at the Microsoft Defender XDR RBAC model as well.
security.microsoft.com –> System –> Settings –> Microsoft Defender XDR –> Permission and roles
The transition to the RBAC model can be enabled from the portal with a single action. Unlike Microsoft Entra ID roles, there are no predefined Defender for Endpoint roles here, so you must create custom roles in every case.
security.microsoft.com –> System –> Permissions –> Microsoft Defender XDR Roles
Within this section, you can create your first custom permission using Role –> Custom Role. The process is as follows:
Enter a name for the permission you want to create
In the “Permissions” section, select the required permissions
For Microsoft Defender for Endpoint and Vulnerability Management, the following permissions are available:
| Defender for Endpoint and Defender Vulnerability Management permissions | Microsoft Defender unified RBAC permission |
| View data – Security operations | Security operations \ Security data \ Security data basics (read) |
| View data – Defender Vulnerability Management | Security posture \ Posture management \ Vulnerability management (read) |
| Alerts investigation | Security operations \ Security data \ Alerts (manage) |
| Active remediation actions – Security operations | Security operations \ Security data \ Response (manage) |
| Active remediation actions – Defender Vulnerability Management – Exception handling | Security posture \ Posture management \ Exception handling (manage) |
| Active remediation actions – Defender Vulnerability Management – Remediation handling | Security posture \ posture management \ Remediation handling (manage) |
| Active remediation actions – Defender Vulnerability Management – Application handling | Security posture \ Posture management \ Application handling (manage) |
| Defender Vulnerability management – Manage security baselines assessment profiles | Security posture \ posture management \ Security baselines assessment (manage) |
| Live response capabilities | Security operations \ Basic live response (manage) |
| Live response capabilities – advanced | Security operations \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) |
| Manage security settings in the Security Center | Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings\Security settings \ Detection tuning (manage) |
| Manage portal system settings | Authorization and settings \ System setting (Read and manage) |
| Manage endpoint security settings in Microsoft Intune | Not supported – this permission is managed in the Microsoft Intune admin center |
For more information, click on the following link: https://learn.microsoft.com/en-us/defender-xdr/compare-rbac-roles
Finally, select the predefined group, or specify the appropriate individuals and choose which product the authorization should apply to.
Note: It is recommended to assign permissions to Microsoft Entra ID groups rather than to individual users. This ensures simpler operations, greater transparency, and easier permission management in the long run.
Which model should you choose?
Microsoft Entra ID-based access management enables a simpler setup but offers more limited customization. Defender XDR RBAC, on the other hand, offers finely granular access control that better suits the needs of larger or more complex security organizations. It is particularly advantageous in environments where the organization has multiple SOC teams, differing areas of responsibility, or security teams operating in different geographic regions.
Based on my own experience, I recommend using Defender XDR RBAC in environments where detailed access control and the consistent application of the principle of least privilege are important. The RBAC model provides greater flexibility and allows different roles to be granted only the permissions necessary for their specific tasks.
If the goal is to implement the principle of least privilege as precisely as possible, Defender XDR RBAC is generally the better choice. It allows you to precisely define which functions and data individual SOC analysts, incident responders, or security administrators can access.
Permissions – Device Groups
Device Groups are one of the most important components of the Microsoft Defender for Endpoint RBAC model, as they are used to define device-level scopes. In larger environments, they play a critical role in operational segmentation.
Key benefits:
- RBAC management: Device Groups allow different SOC teams to manage only the set of devices relevant to them. This significantly improves the separation of responsibilities and reduces the risk of erroneous interventions.
- Scoping for policies and settings: Policies can be targeted at groups of tools, such as:
- Web Content Filtering
- Indicator rules
- Endpoint security policies
- Automation level configuration: Groups can be used to fine-tune the level of automated responses, allowing different environments to be managed with varying levels of automation.
- Filtering in the Defender portal: Device Groups provide filtering options on the Microsoft Defender portal. For example, in the Threat & Vulnerability Management view, you can display only the recommendations for a specific group.
- Defender for Cloud Apps integration: Device Groups can also be used to create scoped policies in the Microsoft Defender for Cloud Apps environment.
- SOC / SIEM visibility: Grouping provides greater clarity for both SOC and SIEM systems. This makes it easy to quickly determine whether an incident occurred, for example, on a domain controller, an SQL server, a kiosk computer, or a virtual desktop infrastructure.
Device Groups can be used to define which device groups individual users or roles can access, and what actions they can perform within those groups. This ensures that SOC teams work only within the environments relevant to them and cannot view or modify devices belonging to other organizational units.
Note: When setting up Device Groups, it is recommended to use logical grouping, for example:
- Business unit (e.g., Finance, HR, IT)
- Geographic location (e.g., EMEA, APAC, US)
- Environment (e.g., Production, Test, Development)
- Criticality (e.g., high-value assets)
Separate RBAC rules can be assigned to each Device Group, allowing for fine-grained control over who can access the devices in question and at what level (read, remediation, live response, etc.).
You can create a Device Group as follows:
security.microsoft.com — > System –> Settings –> Endpoints — > Device Groups
Device Group Membership and Rules
Membership in Device Groups is determined by attribute-based rules, such as:
- Device Name
- Domain
- Operating System
- Device tags
Device tags are particularly flexible because they can be configured from multiple sources:
- PowerShell
- API
- Intune
- Registry
- Manual settings
- Logic Apps
Rules can be combined using logical operators (e.g., AND). Example:
- The device name begins with “NL”
- AND the operating system is Windows 10 or Windows 11
Group Assignment and Priority
A device can be a member of only one Device Group. If it meets the criteria for more than one group, it is always assigned to the group with the highest priority.
Devices that do not meet the criteria for any rule are automatically placed in the “Ungrouped devices” group.
User Access and Scope
Device Groups can be used for further scope filtering through roles. This allows, for example, a SOC team in a specific region to view and manage only the devices belonging to their own region.
It is important to note that Device Groups must first be assigned to a role before they can be used to fine-tune user access.
Asset rule management
Microsoft Defender for Endpoint supports the Asset Rule Management feature, which enables automated asset classification.
Settings → Endpoints → Asset rule management
Rules can be based on the following attributes:
- Device Name
- Domain
- Operating System
- Internet-facing status
- Onboarding status
- Device tags
Based on these rules, devices can be automatically tagged, which can later be used to create Device Groups. This provides a significant operational advantage, especially in large environments.
Summary
The Microsoft Defender for Endpoint permission architecture is designed to support both simplicity and enterprise-grade granularity. Entra ID roles offer a fast and standardized access model, while Defender XDR RBAC enables precise control aligned with least-privilege principles and modern SOC operating models.
When combined with Device Groups and Asset Rule Management, the solution provides a scalable framework for device segmentation, operational clarity, and consistent security governance across large environments.