STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Defender for Endpoint Security Technical Implementation Guide

V-272887

CAT II (Medium)

Microsoft Defender for Endpoint (MDE) must be configured for a least privilege model by implementing Unified Role-Based Access Control (RBAC).

Rule ID

SV-272887r1156554_rule

STIG

Microsoft Defender for Endpoint Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001082CCI-001314

Discussion

When first accessing the Microsoft Defender portal, either full access or read only access is granted. Full access rights are granted to users with the Security Administrator (or equivalent) role in Microsoft Entra ID. Read only access is granted to users with a Security Reader (or equivalent) role in Microsoft Entra ID. The permission tiers available to assign to custom roles are as follows: View data: - Security Operations - View all security operations data in the portal. - Defender Vulnerability Management - View Defender Vulnerability Management data in the portal. Active remediation actions: - Security Operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators. - Defender Vulnerability Management. - Exception handling - Create new exceptions and manage active exceptions. Defender Vulnerability Management - Remediation handling: - Submit new remediation requests, create tickets, and manage existing remediation activities. Defender Vulnerability Management - Application handling: - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions. Security baselines: - Defender Vulnerability Management. - Manage security baselines assessment profiles. - Create and manage profiles so users can assess if devices comply to security industry baselines. Alerts investigation: - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files. Manage portal system settings: - Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups. Satisfies: SRG-APP-000211, SRG-APP-000267

Check Content

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles.
2. For each defined role:
- Click the role to enter the edit role screen.
- Verify the Permissions are configured as defined by the authorizing official (AO).
- Verify the appropriate user groups are assigned as defined by the AO.
- Click "Cancel".

If Settings >> Microsoft Defender XDR >> Permissions and Roles does not display roles as defined by the AO, this is a finding.

When selecting each role individually, if the permissions and user groups are not as defined by the AO, this is a finding.

Fix Text

Access the MDE portal as a user with at least an MDE Administrator or equivalent role:

1. In the navigation pane, select Settings >> Microsoft Defender XDR >> Permissions and Roles. 
2. Select "+Add role".
3. Enter a Role Name, select "Permissions" as defined by the AO, and then click "Next".
4. Select the appropriate group as defined in MSDE-00-000300.