By: Laura Arrizza – Sr Product Manager | Microsoft Intune
The built-in role ‘Endpoint Security Manager’ is used to manage policies and features within the Microsoft Intune admin center Endpoint security blade or, admin actions can be limited by using the custom role with the ‘Security baselines’ permission.
With Intune’s June (2406) release, we’ll begin adding new permissions for each endpoint security workload to allow for additional granularity and control. The ‘Security baselines’ permission previously included all security policies and now, it will only include security workloads that do not have their own permission.
New granular permissions
In the first iteration, granular permissions are now available with 2406 for the following security workloads:
- Endpoint detection and response
- App Control for Business
- Attack surface reduction
The remaining security workloads will continue to be applicable under the existing ‘Security baseline’ permission until they’re made available as granular controls in a future release.
Admins can take advantage of these changes by creating a new Intune role via 'Tenant administration' with the appropriate access rights. An example of this can be found below:
A screenshot of the new Attack surface reduction permission.
The behavior of these rights continues to mirror the same as those within the ‘Security baselines’ permission – the main difference being that it applies to the security policies within the security workload.
Existing RBAC roles
There’s no change in functionality for built-in roles that contain the ‘Security baselines’ permission. This includes ‘Endpoint Security Manager’, ‘Read Only Operator’, and ‘Help Desk Operator’.
If you’re using custom RBAC roles with the ‘Security baseline’ permission, the new permissions will automatically be assigned to ensure your admins continue to have the same access they have today. For example, if an admin has been assigned a custom role with ‘Security baselines/Read’ permission, that role would include the new permissions, such as ‘Attack surface reduction/Read’. The ‘Security baselines/Read’ would still be applicable for viewing Security baselines, Antivirus, Disk encryption, Firewall, and Account protection policies.
Considerations
The granular permissions at the security workload level will continue to have the same permission structure as Security baselines does today. This includes management of the security policies within those workloads, which may contain overlapping settings in other types of policies (like Security baseline policies or settings catalog policies) which are governed by separate RBAC permissions.
Specifically, for the Attack surface reduction security workload, a subset of security policies will continue to be covered by the existing ‘Security baselines’ permission and not the new ‘Attack surface reduction’ permission. The following templates continue to be covered by existing ‘Security baselines’ permission:
- Windows App and browser isolation
- Windows Web protection
- Windows Application control
- Windows Exploit protection
The same permission changes will apply to the Microsoft Defender portal for security policy management.
If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam. Stay tuned to What’s new in Intune for the release of additional endpoint security permissions.