Join Pete Zerger for an in-depth discussion in this video Assigning user access to the ATP portal, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
[Voiceover]: You can assign users access to Windows Defender Advanced Threat Protection, or ATP, with one of two levels of permission: full access, now assigning full access rights requires adding users to the security administrator or global administrator built-in roles and as your active directory. We can also assign read-only access and assigning read-only rights requires adding the users to the security reader role, which is also a built-in Azure AD role.
So let's open a PowerShell prompt here, and I'm actually going to just open some existing code snippets which are accessible to you through the downloads available with this course. We can assign these permissions using the Azure active directory Powershell module, so you'd simply import the module with the module name MSOnline. Of course you'll need to download and install that module on your workstation. Now to grant full access to the Defender ATP portal for a user we're simply going to use the Add-MsolRoleMember commandlet and supply the role name, so for full access we said that's Security Administrator.
This is really just like adding a user to a role for any other function, for any cloud service that you might be working with in Azure. Granted, the granularity here is pretty basic with Windows Defender ATP today. We have full control or read-only. So if we went to grant read-only access, the only thing we're changing there is the role name to Security Reader. Now it is important to note that we do need right access for some advanced functions of Windows Defender ATP, such as submitting samples, isolating machines, blocking suspect files, we're going to need that full control role to have full capability to manage and remediate in this feature.
So now let's grant access through the Azure portal. So I'll simply browse to portal.azure.com. I'll supply my kinetECO energy username, you see I get the branded portal, and once that Azure portal renders here, I'll select Azure Active Directory, and I'm going to select under Manage Users and Groups in the left hand menu and I want all users. So I can grant permissions to a group or I can grant permissions to a user, in this case I'm going to grant permissions to Alex Wilber.
So Alex is a delegate administrator in my environment, so in Azure AD terms, he's really just a regular user, so I'll go to the directory role area here and you're going to notice that Alex is a user. In order to grant him additional rights, I need to select the limited administrator option. This opens up that list of Azure active directory roles and down here in the list in the s's we'll see Security reader and Security administrator, so I simply need to give Alex Security reader for read-only rights, Security administrator for full control, and once I make that designation I save the change.
On his next login at securitycenter.windows.com, Alex will have read-only permissions to the portal. Now at present, as I mentioned, role separation for Windows Defender ATP is basic and enablement is very simple but if you want to automate role provisioning via PowerShell or as part of your active directory to Azure AD directory synchronization process, as we can with most other Microsoft Cloud services, the option is available to us.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure