Segregate management and operations of Defender for Cloud

Faiz Azhar 0 Reputation points
2024-03-13T08:04:43.1766667+00:00

I have a business requirement to segregate the management and operations of Defender for Cloud for multiple subscriptions in a single tenant structure.

Currently for all subscriptions, Defender for Cloud is managed by users assigned with Security Admin role, and the operations side of it managed by users with Security Reader role in the organization.

Due to an organization restructure, let's say Defender for Cloud for subscription A and B should remain to be managed by the existing team of users described above, but for subscription C and D, Defender for Cloud should be managed by a new team. Both teams should only be allowed to view and edit resources for Defender for Cloud in their respective subscriptions but not the other team's subscriptions.

What is the best approach to implement this segregation? If let's say we move these subscriptions to a new management groups, can we assign Security Admin and Security Reader roles that are only scoped to the subscriptions under the management group?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
808 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,373 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 24,051 Reputation points MVP
    2024-03-14T08:11:08.3133333+00:00

    Hi,

    Yes, definitely you should use management groups. Otherwise the other way is to assign permissions per subscription and every permission to be different depending on the subscription. Moving them to different management groups will allow you to do the assignments once per management group and not having to do assignments per subscriptions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.