Microsoft Intune · Device & Endpoint Management
Endpoint Security Manager
Manages security and compliance features including security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint.
Scope: Organization-wide endpoint security management
Permissions
- Device compliance policies - Full CRUD + Assign + View reports
- Security baselines - Full CRUD + Assign
- Endpoint Detection and Response - Full CRUD + View reports
- Attack surface reduction - Full CRUD + View reports
- App Control for Business - Full CRUD + View reports
- Managed devices - Delete, Read, Set primary user, Update, View reports
- Remote tasks - Reboot, Remote lock, Sync, Windows Defender, Rotate keys
- Mobile Threat Defense - Modify + Read
- Endpoint Privilege Management - Full policy authoring + elevation requests
- Security tasks - Read + Update
Common use cases
- Security team managing device compliance
- Configuring security baselines and policies
- Managing Defender for Endpoint integration
- Responding to security incidents on devices
Best practices
- Assign to dedicated security operations staff
- Combine with Security Administrator Entra role for full scope
- Use for security-focused tasks, not general device management
- Monitor security tasks and compliance reports regularly
Security considerations
- Can delete managed devices
- Can modify Mobile Threat Defense settings
- Can execute remote tasks including device wipe
- Has read access to audit data
Common questions
When should I assign the Endpoint Security Manager role?
Assign Endpoint Security Manager when you need to: Security team managing device compliance; Configuring security baselines and policies; Managing Defender for Endpoint integration; and Responding to security incidents on devices. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Endpoint Security Manager role do?
The Endpoint Security Manager role grants permissions including: Device compliance policies - Full CRUD + Assign + View reports; Security baselines - Full CRUD + Assign; Endpoint Detection and Response - Full CRUD + View reports; Attack surface reduction - Full CRUD + View reports; App Control for Business - Full CRUD + View reports; and Managed devices - Delete, Read, Set primary user, Update, View reports. See the Permissions section above for the full list.
What are the security risks of the Endpoint Security Manager role?
Key considerations when assigning Endpoint Security Manager: Can delete managed devices; Can modify Mobile Threat Defense settings; Can execute remote tasks including device wipe; and Has read access to audit data. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.