Microsoft Endpoint Manager – Defender connector permission

If you are using role-based access control (RBAC) in your Microsoft Endpoint Manager or Intune environment then you may be creating custom roles. I was asked recently about the permission required to view the Defender for Endpoint connector as setting what was seemingly the obvious option didn’t do the trick.

If we look in the Endpoint Manager admin center under Tenant Administration > Roles then select the role you want to check or change.

The most obvious permission that you would select – and you still should – is Microsoft Defender ATP (Read).
For clarity, Defender for Endpoint used to be called Defender ATP but Microsoft didn’t update all the user interfaces to reflect that.

However if you only have this permission it doesn’t give you the read access that you might expect.

You also need to add Mobile Threat Defense (Read)

Then that will give you the read only access you require. You will see that you can actually toggle the values of settings but you are not able to save then as Save and Discard is greyed out.

Also, for your peace of mind you might notice that the Delete button is actually enabled but I tested it so you don’t have to. If you click the button it will result in 2 error messages – one says you don’t have permission and one throws you a request ID that you can supply in a ticket with Microsoft.

I will also point out that if you make the permission change, it seems to take about 15 minutes or so show the change in the console. In my case I didn’t need to re-authenticate either.

Hopefully that helps someone at some point.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.