Microsoft Intune: Additional granular RBAC controls to manage Antivirus, Firewall, BitLocker, and Endpoint Detection and Response endpoint security workloads

🚨 The Signal: Intune now offers granular RBAC for Antivirus, Firewall, BitLocker, and EDR policies, separating them from 'Security baselines'. This improves least privilege for endpoint security management.

The Impact

Security teams and Intune admins are affected, enabling reduced privilege for endpoint security management, lowering the risk of broad administrative access.

• Security teams: Reduced risk from over-privileged Intune administrators.
• Intune administrators: Improved ability to implement least privilege.
• Compliance officers: Easier demonstration of granular access controls.
• Auditors: Clearer audit trails for endpoint security policy changes.

The Action

1. Review existing Intune RBAC roles assigned 'Security baselines' permissions.
2. Identify administrators who only require specific endpoint security permissions.
3. Create or modify custom Intune roles with the new granular permissions (e.g., 'Manage Antivirus policies').
4. Assign these new granular roles to relevant administrators.
5. Remove 'Security baselines' permission from roles where it is no longer needed.

Domain: Intune · Impact: high · Workload: Intune · Essential Eight: Restrict Administrative Privileges · ISM: ISM-0445, ISM-1175, ISM-1380, ISM-1507, ISM-1508, ISM-1509, ISM-1647, ISM-1648, ISM-1650, ISM-1686, ISM-1688, ISM-1689, ISM-1883, ISM-1897, ISM-1898