Title

Roles for use with Microsoft Defender Endpoint (MDE) must be configured within Entra ID. (Cat II impact)

Discussion

Application management functionality includes functions necessary for administration and requires privileged user access. Allowing nonprivileged users to access application management functionality capabilities increases the risk that nonprivileged users may obtain elevated privileges. Using role-based access control (RBAC), roles and groups can be created within the security operations team to grant appropriate access to the MDE portal. Based on the roles and groups created, the capability will exist to have fine-grained control over what users with access to the portal can view and do. Creation of Entra ID roles is a prerequisite to configuring RBAC within the MDE portal itself. Defender for Endpoint RBAC is designed to support a role-based model and provides granular control over what roles can view, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: - Control who can take specific action. - Create custom roles and control what Defender for Endpoint capabilities they can access with granularity. - Control who can view information on specific device group or groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Check Content

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles. 1. Select Manage >> Roles and administrators. Click on the "Security Administrator" role. 2. Under "Active assignments" ensure one or more authorizing official (AO)-approved users are assigned to this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in Security Administrator role. If one or more AO-approved users have not been assigned to the Security Administrator (or equivalent AO-approved) role, this is a finding. 1. Return to the Entra ID portal home and select Manage >> Groups. Click the number next to "Total Groups". 2. Ensure one or more custom roles have been defined as subordinate roles for MDE administration. The structure of various subordinate groups is to be defined by the AO. 3. Click on each of these groups and ensure one or more users have been assigned. If one or more subordinate groups do not exist, this is a finding. If one or more users do not exist in these subordinate groups, this is a finding.

Fix Text

Access the Azure Entra ID portal as a Global Admin or other role with the ability to create/assign roles and users/groups. 1. Select Manage >> Roles and administrators. 2. Click on the "Security Administrator" role ,then click "+Add assignments". 3. Under "Select Member(s)" add AO-approved users for this role. This role is a top-level administrator within MDE. Note: A custom defined, AO-approved role may be created and used in lieu of the built-in "Security Administrator" role. 4. Return to the Entra ID portal home and select Manage >> Groups. Click "New group". 5. Define at least one sub-level group for MDE administration as defined by the AO, and assign users(s) to these groups.

Additional Identifiers

Rule ID: SV-272886r1085737_rule

Vulnerability ID: V-272886

Group Title: SRG-APP-000211

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.