Share via

Minimum permission/right to Assign owner to MS Defender issue

Stratfull, Russ (EC) 0 Reputation points
2025-07-22T09:59:17.1266667+00:00

I want to create a 'custom' role with the minimum permissions/rights to enable the ability to .......

Assign owner and set due date by which recommendation should be implemented in MS Defender

So i can assign an administrator with limited technical knowledge to this role.

This is the current guideline, but not practical due to the need for such a powerful role.

 To assign a Recommendation owner and set a due date in Azure Defender for Cloud, you need Contributor or Owner permissions on the resource (subscription, resource group, or resource) the recommendation applies to, according to Microsoft Learn

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 13,330 Reputation points Volunteer Moderator
    2025-07-31T07:10:19.0833333+00:00

    Hi Russ,

    thanks for posting this question,

    first off, microsoft's official docs say u need contributor or owner role to assign recommendation owners in defender for cloud. that's... way too broad, right? like giving someone keys to the whole castle when they just need to water the plants )

    u need to create a custom role with just these two actions: 'microsoft.security/assessments/write' 'microsoft.security/assessments/metadata/write'

    this lets someone assign owners and set dates without touching anything else. u can scope it to specific resource groups too! check the exact details here https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsecurity

    always start with the least privilege. test with a test user before rolling it out to everyone. aha, and dont forget - azure's role assignments can take a few mins to propagate, so dont panic if it doesnt work instantly ))

    if u manage multiple subscriptions, consider using azure policy to standardize these permissions. its cleaner than doing it manually each time.

    the 'security admin' built-in role might already have these permissions. if u dont mind the extra access it gives, thats a quick fix! docs here https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin

    let me know if this works for u

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    0 comments
  2. Stratfull, Russ (EC) 0 Reputation points
    2025-07-31T10:31:18.42+00:00

    Good Morning Alex,

    Thank you for your detailed response ....... Sorry it didn't work as expected

    I created a custom role in a specific subscription , following your advice..... however I think the role might be wrong, i could only find

    Your recommendation

    'microsoft.security/assessments/write' 'microsoft.security/assessments/metadata/write

    What i found, no forward slash in assessmentsmetadata

    'microsoft.security/assessments/write' 'microsoft.security/assessmentsmetadata/write

    Using those actions in a custom role did not work, did i misunderstand your recommendation

    This role again is too powerful.

    the 'security admin' built-in role might already have these permissions. if u dont mind the extra access it gives, thats a quick fix! docs here https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin

    regards

    Russ

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.