Assign Roles
Implementation Effort: Medium – Role assignment requires coordination between security and identity teams to ensure appropriate access is granted across subscriptions and resource groups.
User Impact: Low – This is an administrative task; end users are not directly affected unless their access is changed.
Overview
Assigning roles in Microsoft Defender for Cloud is essential for enforcing access control and ensuring that users, groups, and services have the appropriate permissions to perform their tasks. Defender for Cloud uses Azure Role-Based Access Control (RBAC) to manage access at the subscription, resource group, or resource level. Built-in roles such as Owner, Contributor, and Reader are supplemented by Defender-specific roles like Security Reader and Security Admin.
- Security Reader: View-only access to recommendations, alerts, and policies.
- Security Admin: Can modify security policies, dismiss alerts, and apply recommendations.
- Contributor/Owner: Can take full action on resources, including enabling Defender plans and configuring monitoring components.
Roles should be assigned using the least privilege principle, ensuring users only have the permissions necessary to perform their duties. This supports the Zero Trust principle of "Use Least Privilege Access", reducing the risk of unauthorized changes or lateral movement in case of a breach.