Microsoft Intune · Device & Endpoint Management
Endpoint Security Manager
Manages security and compliance features including security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint.
Scope: Organization-wide endpoint security management
Permissions
- Device compliance policies - Full CRUD + Assign + View reports
- Security baselines - Full CRUD + Assign
- Endpoint Detection and Response - Full CRUD + View reports
- Attack surface reduction - Full CRUD + View reports
- App Control for Business - Full CRUD + View reports
- Managed devices - Delete, Read, Set primary user, Update, View reports
- Remote tasks - Reboot, Remote lock, Sync, Windows Defender, Rotate keys
- Mobile Threat Defense - Modify + Read
- Endpoint Privilege Management - Full policy authoring + elevation requests
- Security tasks - Read + Update
Common use cases
- Security team managing device compliance
- Configuring security baselines and policies
- Managing Defender for Endpoint integration
- Responding to security incidents on devices
Best practices
- Assign to dedicated security operations staff
- Combine with Security Administrator Entra role for full scope
- Use for security-focused tasks, not general device management
- Monitor security tasks and compliance reports regularly
Security considerations
- Can delete managed devices
- Can modify Mobile Threat Defense settings
- Can execute remote tasks including device wipe
- Has read access to audit data