Inventory the current model
Record Defender licensing, current permission model, unified RBAC workload status, Entra administrator roles, existing Defender roles, device groups, group rank, access assignments, automation accounts, service principals, API permissions, notification rules, and break-glass access. Export what the portal or APIs expose before changing anything.
Define personas and prohibited actions
Describe what a tier-1 analyst, tier-2 responder, vulnerability analyst, endpoint engineer, help desk, server team, MSSP, auditor, and emergency administrator must see and do. For each persona, state sensitive actions it must not perform and device classes it must not see.
Design the device taxonomy
Select durable properties such as approved device tags, platform, domain, and controlled naming patterns. Define tag source, allowed values, owner, creation path, propagation expectation, expiry, and exception handling. Do not rely on an informal manual tag for a permanent security boundary.
Model overlap and rank
List every expected collision: an executive laptop in Finance, a domain controller in a regional site, a pilot server in production, or a kiosk within a branch. Assign explicit exception groups above broad groups. Rank 1 is highest; document why every higher-ranked rule must win.
Protect the Ungrouped group
Set its automated remediation level and Entra group access deliberately. Define an expected threshold and an alert/review process when production devices appear there. Ungrouped cannot be deleted or have its rank changed, so operate it as an exception queue.
Create Entra security groups
Use role-oriented groups with two or more accountable owners where possible. Document membership approval, nested-group policy, dynamic membership risk, guest/vendor handling, emergency access, joiner/mover/leaver workflow, and periodic access review. Avoid assigning individuals directly when a governed group can represent the persona.
Create least-privilege roles
Grant only the data visibility and actions required for the persona. Separate routine investigation from high-impact response where operationally practical. Treat live response, file collection, file download, script execution, device isolation, remediation management, security-setting changes, and authorization administration as sensitive capabilities.
Build the device group
In Microsoft Defender, go to Settings > Endpoints > Permissions > Device groups. Define a unique name and description, select the automated remediation level, configure matching values, preview matches, assign the authorized Entra groups, submit, and place the group at its approved rank.
Test matching before access
Use positive, negative, overlap, no-match, renamed-device, platform-change, and stale-tag samples. Microsoft notes the preview can show up to 10 devices, so supplement it with inventory queries, exports, sampling, and post-change monitoring. Verify each device lands in exactly the intended highest-ranked group.
Test effective access by persona
Use dedicated nonprivileged test accounts. Confirm device inventory visibility, device pages, alerts/incidents, advanced hunting, vulnerability data, response actions, settings, and exports. Include forbidden-device and forbidden-action tests; a successful authorized test alone cannot prove least privilege.
Approve and activate safely
If migrating to unified RBAC, configure/import roles and assignments first, review global Entra roles that still confer privileges, activate only planned workloads, and test immediately. Define stop conditions and how to deactivate unified RBAC or restore previous assignments if validation fails.
Operate and recertify
Review membership, role changes, device-group rule/rank changes, Ungrouped volume, stale tags, failed persona tests, remediation exceptions, and deleted-group dependencies. Recertify owners and access at least quarterly for sensitive groups and after material organizational, service-provider, or platform changes.