Use basic permissions to access the portal
Applies to:
- Microsoft Entra ID
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Defender for Endpoint? Sign up for a free trial.
Refer to the instructions below to use basic permissions management.
You can use either of the following solutions:
- Microsoft Graph PowerShell
- Azure portal
For granular control over permissions, switch to role-based access control.
Assign user access using Microsoft Graph PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
Before you begin
Install Microsoft Graph PowerShell. For more information, see, How to install Microsoft Graph PowerShell.
Note
You need to run the PowerShell cmdlets in an elevated command-line.
Connect to your Microsoft Entra ID. For more information, see Connect-MgGraph.
Full access: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" Microsoft Entra built-in roles.
Read-only access: Users with read-only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read-only access rights requires adding the users to the "Security Reader" Microsoft Entra built-in role.
Use the following steps to assign security roles:
For read and write access, assign users to the security administrator role by using the following command:
$Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security Administrator'" $UserId = (Get-MgUser -UserId "secadmin@Contoso.onmicrosoft.com").Id $DirObject = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$UserId" } New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter $DirObjectFor read-only access, assign users to the security reader role by using the following command:
$Role = Get-MgDirectoryRole -Filter "DisplayName eq 'Security Reader'" $UserId = (Get-MgUser -UserId "reader@Contoso.onmicrosoft.com").Id $DirObject = @{ "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$UserId" } New-MgDirectoryRoleMemberByRef -DirectoryRoleId $Role.Id -BodyParameter $DirObject
For more information, see Add or remove group members using Microsoft Entra ID.
Assign user access using the Azure portal
For more information, see Assign administrator and non-administrator roles to users with Microsoft Entra ID.
Related topic
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for