Microsoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-272887	SRG-APP-000211	MSDE-00-000350	SV-272887r1156554_rule	2025-11-25	1

Description
When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions. Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Description

When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions. Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267

ℹ️ Check
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 2. For each defined role: - Click the role to enter the edit role screen. - Verify the Permissions are configured as defined by the authorizing official (AO). - Verify the appropriate user groups are assigned as defined by the AO. - Click "Cancel". If Settings >> Microsoft Defender XDR >> Permissions and Roles does not display roles as defined by the AO, this is a finding. When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

ℹ️ Check

Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 2. For each defined role: - Click the role to enter the edit role screen. - Verify the Permissions are configured as defined by the authorizing official (AO). - Verify the appropriate user groups are assigned as defined by the AO. - Click "Cancel". If Settings >> Microsoft Defender XDR >> Permissions and Roles does not display roles as defined by the AO, this is a finding. When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

✔️ Fix
Access the MDE portal as a user with at least an MDE Administrator or equivalent role: 1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 2. Select "+Add role". 3. Enter a Role Name, select "Permissions" as defined by the AO, and then click "Next". 4. Select the appropriate group as defined in MSDE-00-000300.