Microsoft Intune · Device & Endpoint Management

Endpoint Security Manager

Manages security and compliance features including security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint.

Scope: Organization-wide endpoint security management

Permissions

  • Device compliance policies - Full CRUD + Assign + View reports
  • Security baselines - Full CRUD + Assign
  • Endpoint Detection and Response - Full CRUD + View reports
  • Attack surface reduction - Full CRUD + View reports
  • App Control for Business - Full CRUD + View reports
  • Managed devices - Delete, Read, Set primary user, Update, View reports
  • Remote tasks - Reboot, Remote lock, Sync, Windows Defender, Rotate keys
  • Mobile Threat Defense - Modify + Read
  • Endpoint Privilege Management - Full policy authoring + elevation requests
  • Security tasks - Read + Update

Common use cases

  • Security team managing device compliance
  • Configuring security baselines and policies
  • Managing Defender for Endpoint integration
  • Responding to security incidents on devices

Best practices

  • Assign to dedicated security operations staff
  • Combine with Security Administrator Entra role for full scope
  • Use for security-focused tasks, not general device management
  • Monitor security tasks and compliance reports regularly

Security considerations

  • Can delete managed devices
  • Can modify Mobile Threat Defense settings
  • Can execute remote tasks including device wipe
  • Has read access to audit data

Common questions

When should I assign the Endpoint Security Manager role?

Assign Endpoint Security Manager when you need to: Security team managing device compliance; Configuring security baselines and policies; Managing Defender for Endpoint integration; and Responding to security incidents on devices. It is part of Microsoft Intune and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Endpoint Security Manager role do?

The Endpoint Security Manager role grants permissions including: Device compliance policies - Full CRUD + Assign + View reports; Security baselines - Full CRUD + Assign; Endpoint Detection and Response - Full CRUD + View reports; Attack surface reduction - Full CRUD + View reports; App Control for Business - Full CRUD + View reports; and Managed devices - Delete, Read, Set primary user, Update, View reports. See the Permissions section above for the full list.

What are the security risks of the Endpoint Security Manager role?

Key considerations when assigning Endpoint Security Manager: Can delete managed devices; Can modify Mobile Threat Defense settings; Can execute remote tasks including device wipe; and Has read access to audit data. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →