MC794811: Plan for Change: New RBAC permissions for endpoint security policies

Announcement IDMC794811 Published Date05-21-2024
ServiceIntuneLast Updated 05-21-2024
CategoryPlan for changeExpiration Date 07-31-2024
Roadmap IDAction Required by Date
TagsAdmin impact


Summary
                New RBAC permissions for endpoint security policies are being introduced, allowing more granularity. The 'Security baselines' permission will be updated to include only specific workloads, with others getting their own permissions. No immediate action is required as Intune will update permissions automatically. Stay tuned for release details.


More Information

Today, you can use the role-based access control (RBAC) built-in role 'Endpoint Security Manager' to manage policies and features within the Endpoint security node or, you can limit admin actions by using the custom role with the 'Security baselines' permission.

In an upcoming release, we will be adding new permissions for each endpoint security workload to allow for additional granularity. The 'Security baselines' permission previously included all security policies and now, it will only include security workloads that do not have their own permission.

Stay tuned to What's new in Intune June for the release!

How this will affect your organization:

There is no change in functionality for the built-in role 'Endpoint Security Manager', you will see the additional new permissions listed in 'Properties'.

If you are using custom roles with the 'Security baselines' permission, the new permissions will automatically be assigned to ensure your admins continue to have the same permissions they have today. As an example, if an admin has been assigned a custom role with 'Security baselines/Read' permission, that role would include the new permissions, such as Attack surface reduction/Read'. The ‘Security baselines/Read' would still be applicable for viewing Security baselines, Firewall, Antivirus, and other security policies that do not have a designated permission. Note: All security workloads are expected to eventually have their own permission.

[What you need to do to prepare:]

No action is required as Intune will make a service-side update to assign the new permissions for admins with a 'Security baselines' permission as they become available. If you use these permissions and have documented guides on role-based access, you will want to make a note of these changes and update your administrative guidelines.

If you want to take advantage of the new permissions to add granularity to your roles, stay tuned to What's new in Intune June for the release.

Previous Post Next Post