New granular security policy permissions in Microsoft Intune

New RBAC (Role-base access control) permissions for endpoint security policies are being released for Microsoft Intune, which enable admins to delegate more granular control over the different types of security policies in their Intune tenant. 

As detailed in message center post MC794811:

In an upcoming release, we will be adding new permissions for each endpoint security workload to allow for additional granularity. The ‘Security baselines’ permission previously included all security policies and now, it will only include security workloads that do not have their own permission.

There are a couple of roles and permissions that will be impacted by these changes. Currently, the Security baselines custom permission in Microsoft Intune enables the assigned user to create new security baselines in Microsoft Intune. Subsequently, it also enables the assigned user to action individual policies such as:

  • Antivirus policies
  • Disk encryption policies
  • Firewall policies
  • Endpoint detection and response policies
  • App Control for Business policies
  • Attack surface reduction policies
  • Account protection policies

The Security baseline permissions does not include permission to modify the following policies:

  • Endpoint Privilege Management policies
  • Device compliance policies
  • Conditional access policies

This change to the Security baselines custom permission will delete it in favour of new individual RBAC permissions which target the individual policies I have mentioned above.

As well as this, the Endpoint Security Manager will also be impacted as it utilises the Security baselines custom permissions in Intune.

How to prepare for this change?

A snippet taken from the message centre post details how this will directly impact you if you use these custom or built-in roles.

There is no change in functionality for the built-in role ‘Endpoint Security Manager’, you will see the additional new permissions listed in ‘Properties’.

If you are using custom roles with the ‘Security baselines’ permission, the new permissions will automatically be assigned to ensure your admins continue to have the same permissions they have today. As an example, if an admin has been assigned a custom role with ‘Security baselines/Read’ permission, that role would include the new permissions, such as Attack surface reduction/Read’. The ‘Security baselines/Read’ would still be applicable for viewing Security baselines, Firewall, Antivirus, and other security policies that do not have a designated permission. Note: All security workloads are expected to eventually have their own permission.

Fundamentally, these changes will not impact you. However, this change brings huge potential benefits to those that are using the Security baselines permission but are being over-permissioned to perform a task. You should take some time to review this permission assignment and determine if the new custom RBAC permissions per policy type can be utilised to give finer-grained permission assignments to your admins.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply