Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes the requirements and prerequisites for using Microsoft Security Exposure Management.
Permissions
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Manage permissions with Microsoft Defender XDR Unified role-based access control (RBAC)
Microsoft Defender XDR Unified role-based access control(RBAC) allows you to create custom roles with specific permissions for Exposure Management. These permissions are located under the Security posture category in Defender XDR Unified RBAC permissions model and are named:
- Exposure Management (read) for read-only access
- Exposure Management (manage) for access to manage Exposure Management experiences
For more sensitive actions in Exposure Management, users need the Core security settings (manage) permission which is located under the Authorization and settings category.
To access Exposure Management data and actions, a custom role in Defender XDR Unified RBAC with any of the permissions mentioned here, shall be assigned to the Microsoft Security Exposure Management data source.
To learn more about using Microsoft Defender XDR Unified RBAC to manage your Secure Score permissions, see Microsoft Defender XDR Unified role-based access control (RBAC).
The following table highlights what a user can access or perform with each of the permissions:
| Permission name | Actions | 
|---|---|
| Exposure Management (read) | Access to all Exposure Management experiences and read access to all available data | 
| Exposure Management (manage) | In addition to the read access, the user can set initiative target score and edit metric values, as long as the user has access to all Defender for Endpoint device groups. | 
| Core security settings (manage) | Connect or change vendor to the External Attack Surface Management initiative | 
For full Microsoft Security Exposure Management access, user roles need access to all Defender for Endpoint device groups. Users with restricted access to some of the organization's device groups can:
- Access global exposure insights data.
- View affected assets under metrics, recommendations, events, and initiatives history only within their scope.
- View devices in attack paths that are within their scope.
- Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups they have access to.
Note
Access with manage permissions to Critical asset management, under System> Settings> Microsoft Defender XDR requires users to have access to all Defender for Endpoint device groups.
Access with Microsoft Entra ID roles
An alternative to managing access with Microsoft Defender XDR Unified RBAC permissions, access to Microsoft Security Exposure Management data and actions is also possible with Microsoft Entra ID Roles. You need a tenant with at least one Global Admin or Security Admin to create a Security Exposure Management workspace.
For full access, users need one of the following Microsoft Entra ID roles:
- Global Admin (read and write permissions) 
- Security Admin (read and write permissions) 
- Security Operator (read and limited write permissions) 
- Global Reader (read permissions) 
- Security Reader (read permissions) 
- Service Support Administrator (read permissions) 
- User Administrator (read permissions) 
- Helpdesk Administrator (read permissions) 
- Exchange Administrator (read and write permissions) 
- SharePoint Administrator (read and write permissions) 
Permission levels are summarized in the table.
| Action | Global Admin | Global Reader | Security Admin | Security Operator | Security Reader | 
|---|---|---|---|---|---|
| Grant permissions to others | ✔ | - | - | - | - | 
| Onboard your organization to the Microsoft Defender External Attack Surface Management (EASM) initiative | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Mark initiative as a favorite | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Set initiative target score | ✔ | - | ✔ | - | - | 
| View general initiatives | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Share metric/Recommendations | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Edit metric weight | ✔ | - | ✔ | - | - | 
| Export metric (PDF) | ✔ | ✔ | ✔ | ✔ | ✔ | 
| View metrics | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Export assets (metric/recommendation) | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Manage recommendations | ✔ | - | ✔ | - | - | 
| View recommendations | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Export events | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Change criticality level | ✔ | - | ✔ | ✔ | - | 
| Set critical asset rule | ✔ | - | ✔ | - | - | 
| Create criticality rule | ✔ | - | ✔ | - | - | 
| Turn criticality rule on/off | ✔ | - | ✔ | ✔ | - | 
| Run a query on exposure graph data | ✔ | ✔ | ✔ | ✔ | ✔ | 
| Configure data connectors | ✔ | ✔ | ✔ | ||
| View data connectors | ✔ | ✔ | ✔ | ✔ | ✔ | 
Browser requirements
You can access Security Exposure Management in the Microsoft Defender portal using Microsoft Edge, Internet Explorer 11, or any HTML 5 compliant web browser.
Critical asset classification
- Before you start, learn about critical asset management in Security Exposure Management. 
- Review required permissions for working with the critical assets. 
- When classifying critical assets, we support devices running version 10.3740.XXXX of the Defender for Endpoint sensor or later. We recommended running a more recent sensor version, as listed on the Defender for Endpoint What's New page. - You can check which sensor version a device is running as follows: - On a specific device, browse to the MsSense.exe file in C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select Properties. On the Details tab, check the file version. 
- For multiple devices, it's easier to run an advanced hunting Kusto query to check device sensor versions, as follows: - DeviceInfo | project DeviceName, ClientVersion
 
Data freshness, retention, and related functionality
We currently ingest and process supported data from first-party Microsoft products, making it available within the enterprise exposure graph and applicable Microsoft Security Exposure Management experiences built on top of graph data within 72 hours of its production at the source product.
Microsoft product data is retained for no less than 14 days in the enterprise exposure graph and/or Microsoft Security Exposure Management. Only the latest data snapshot received from Microsoft products is retained; we do not store historical data.
Some enterprise exposure graph and/or Microsoft Security Exposure Management experiences data is available for querying via Advanced Hunting and is subject to Advanced Hunting service limitations.
We reserve the right to modify some or all of these parameters in the future, including:
- Data ingestion frequency and freshness: We may increase the current 72-hour latency (decrease the frequency of data ingestion) for some or all Microsoft data sources.
- Data retention period: We may decrease the current 14-day data retention period.
- Service features and functionality: We may alter, limit, or discontinue specific features, capabilities, or functionalities of the service built on top of the enterprise exposure graph and/or Microsoft Security Exposure Management data.
- Data query limits: We may impose limitations on the number, frequency, or type of data queries that can be performed against enterprise exposure graph or Microsoft Security Exposure Management data.
We will make reasonable efforts to provide advance notice of any significant changes to the service. However, you acknowledge and agree that you are solely responsible for monitoring any such notifications.
Getting support
To get support, select the Help question mark icon in the Microsoft Security toolbar.
 
You can also engage with the Microsoft Tech community.