Zehadi Alam
Introduction
The Microsoft Defender Portal enables administrators to oversee and manage the security state of onboarded devices within their network. Initial access to the Defender portal is granted to users holding either the Global Administrator or Security Administrator role in Entra ID (i.e., EITS). They can utilize role-based access control to authorize other users to access the portal. The following section outlines the process that UGA IT units must follow to request access to the Defender portal, so they can monitor the status of their devices and engage in threat investigation and vulnerability management.
Procedure
1. Use the Information Security Support Request form or email soc@uga.edu to request access to the Defender portal. The steps that follow will indicate what to include in your request.
2. Specify that you would like a custom role assigned to your unit for portal access. SOC has configured the necessary permissions for the role.
Note: The existing built-in role within the Defender portal is the Microsoft Defender for Endpoint Administrator role. That role has all boxes checked and Live Response capabilities set to "Advanced." Users with that role are the "global administrators" of the Defender portal.
Note: Above screenshot is for illustrative purposes. These are not the permissions you should request. SOC will grant the necessary permissions for an onboarding unit.
3. Specify the Entra security group that contains the cloud Z-Accounts for your unit. If your unit does not have cloud Z-Accounts, then use the Microsoft Intune Onboarding Request form to request the creation of Z-Accounts for your technicians.
4. Specify your device naming convention to allow SOC to create device groups for your unit. For example, if all devices share a common prefix, include that information in the ticket. The available operators for the Name condition are "Starts with", "Ends with", "Equals", and "Contains."
Note: Further documentation will be provided to address situations in which the device name condition may not be sufficient in identifying all devices within an IT unit. Stay tuned for the inclusion of this reference in the article.
After establishing the criteria for identifying your devices, SOC will grant access to these devices by adding your Entra security group to the User Access section.
Upon completion, you will have visibility of all your devices in the Defender portal. If your devices are successfully onboarded, the Onboarding status will indicate "Onboarded." If not, it will display "Can be onboarded."
Additional documentation will be released soon on leveraging this portal to engage in incident investigation. Below are some screenshots that display the utility of this platform.
