Tech Story Time
Posts Tags Categories
Tech Story Time

Privileged Identity Management(PIM) and Defender RBAC

Matthew Armitage avatarMatthew Armitage
   453 words  3 minutes 

Where did my Defender Device Inventory Go?

Recently Microsoft changed some of the defaults in the Microsoft Defender Dashboard, which has made visibility of the Device Inventory only accessible by default for the Security Administrator, and Global Administrator roles.

Defender for Endpoint supports two ways to manage permissions:

Basic permissions management: Set permissions to either full access or read-only. Users with Global Administrator or Security Administrator roles in Azure Active Directory have full access. The Security reader role has read-only access and does not grant access to view machines/device inventory.

Role-based access control (RBAC): Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information. see Manage portal access using role-based access control. Defender for endpoint device view requires Global Admin or Security Admin to view with new RBAC model.

From Prepare Microsoft Defender for Endpoint deployment

Now if you want to view everything with the Security Reader role, you need to also create a Defender 365 RBAC Role and assign the read-only rights to the new role.

This solves the visibility problem, but if, like me, you’re using Privileged Identity Management to provide Just-In-Time access to administrative roles, you’ll find you have a new problem. RBAC Roles cannot be made eligible with PIM, which brings us further away from zero standing access.

I’m all in on PIM, so let’s find a workaround…

Solution: use PIM groups feature and assign the RBAC role to the PIM group.

  1. Create an AzureAD Role Assignable Group (max 200 per tenant). Do not assign a role to this group.

  2. Create Defender RBAC role with desired settings (example with read only access). Navigate to Permissions in the Defender Dashboard, and select roles in Microsoft 365 Defender if you’re using unified role-based access control or in Endpoints roles & group if you’re not. I have unified role-based access control enabled, so I’m going with that.

  3. Then select Create Custom Role

  4. Give it a name and description.

  5. Set the appropriate permissions (in our case all Read Only)

  6. Create an Assignment Name and assign to the group, then review and finish!

  7. Go back to the group in Entra and assign eligible members to group.

  8. Test!

Limitations

As Defender RBAC wasn’t setup with this in mind, sometimes you need to log out after role activation and log back in before your view in Defender will update. (Sometimes even multiple times…)

Acknowledgements

I’d be remiss if I didn’t point our that I’m not the first one to think of using PIM Groups in this way. As Jan Ketil Skanke pointed out in his blog entry Bring Azure AD PIM and Intune Roles together, this can also be used for Intune RBAC.

Updated on 2023-06-11
Read markdown
 DefenderPimRbac
 | Home