MC794811: Plan for Change: New RBAC permissions for endpoint security policies

Announcement ID	MC794811	Published Date	05-21-2024
Service	Intune	Last Updated	05-21-2024
Category	Plan for change	Expiration Date	07-31-2024
Roadmap ID		Action Required by Date
Tags	Admin impact

Summary
New RBAC permissions for endpoint security policies are being introduced, allowing more granularity. The 'Security baselines' permission will be updated to include only specific workloads, with others getting their own permissions. No immediate action is required as Intune will update permissions automatically. Stay tuned for release details.

More Information
Today, you can use the role-based access control (RBAC) built-in role 'Endpoint Security Manager' to manage policies and features within the Endpoint security node or, you can limit admin actions by using the custom role with the 'Security baselines' permission. In an upcoming release, we will be adding new permissions for each endpoint security workload to allow for additional granularity. The 'Security baselines' permission previously included all security policies and now, it will only include security workloads that do not have their own permission. Stay tuned to What's new in Intune June for the release! How this will affect your organization: There is no change in functionality for the built-in role 'Endpoint Security Manager', you will see the additional new permissions listed in 'Properties'. If you are using custom roles with the 'Security baselines' permission, the new permissions will automatically be assigned to ensure your admins continue to have the same permissions they have today. As an example, if an admin has been assigned a custom role with 'Security baselines/Read' permission, that role would include the new permissions, such as Attack surface reduction/Read'. The â€˜Security baselines/Read' would still be applicable for viewing Security baselines, Firewall, Antivirus, and other security policies that do not have a designated permission. Note: All security workloads are expected to eventually have their own permission. [What you need to do to prepare:] No action is required as Intune will make a service-side update to assign the new permissions for admins with a 'Security baselines' permission as they become available. If you use these permissions and have documented guides on role-based access, you will want to make a note of these changes and update your administrative guidelines. If you want to take advantage of the new permissions to add granularity to your roles, stay tuned to What's new in Intune June for the release.

More Information

Today, you can use the role-based access control (RBAC) built-in role 'Endpoint Security Manager' to manage policies and features within the Endpoint security node or, you can limit admin actions by using the custom role with the 'Security baselines' permission.

In an upcoming release, we will be adding new permissions for each endpoint security workload to allow for additional granularity. The 'Security baselines' permission previously included all security policies and now, it will only include security workloads that do not have their own permission.

Stay tuned to What's new in Intune June for the release!

How this will affect your organization:

There is no change in functionality for the built-in role 'Endpoint Security Manager', you will see the additional new permissions listed in 'Properties'.

If you are using custom roles with the 'Security baselines' permission, the new permissions will automatically be assigned to ensure your admins continue to have the same permissions they have today. As an example, if an admin has been assigned a custom role with 'Security baselines/Read' permission, that role would include the new permissions, such as Attack surface reduction/Read'. The â€˜Security baselines/Read' would still be applicable for viewing Security baselines, Firewall, Antivirus, and other security policies that do not have a designated permission. Note: All security workloads are expected to eventually have their own permission.

[What you need to do to prepare:]

No action is required as Intune will make a service-side update to assign the new permissions for admins with a 'Security baselines' permission as they become available. If you use these permissions and have documented guides on role-based access, you will want to make a note of these changes and update your administrative guidelines.

If you want to take advantage of the new permissions to add granularity to your roles, stay tuned to What's new in Intune June for the release.

Top News

MC878427: Restricted Content Discoverability for SharePoint Sites

MC761227: Microsoft Teams Phone devices: Advanced calling and contact management on non-touch phones

MC721853: Microsoft New feedback button

MC891238: Microsoft SharePoint and Microsoft Teams: Update on new Microsoft Lists rollout

MC797119: A new Start experience

MC888034: Accept Apple's new terms and conditions to ensure Intune can communicate with Apple as expected

Removing the Default Exchange Server Database: A Step-by-Step Guide

Create and Manage Exchange Groups

Creating a Mailbox in Exchange Server 2013 Using PowerShell

MC888036: Prevent/Fix: PnP PowerShell authentication failures

MC794811: Plan for Change: New RBAC permissions for endpoint security policies

Contact Form

Top News

MC794811: Plan for Change: New RBAC permissions for endpoint security policies

You Might Like

Contact Form