MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Replacement for Windows Authenticated Scanning
For cost saving, we were looking at replacing our existing vulnerability scanner with Defender and using device scanning. Due to the nature of some of our systems, we can't enroll all of them in Defender and had hoped to use Windows Authenticated Scanning for the unmanaged devices. It looks like that is being deprecated, and the FAQ page indicates that there is currently no direct replacement. While the number of systems we have that can't be enrolled in relatively minimal, is there any kind of scanning I'm missing as part of the product that would allow remote scans of Windows devices as opposed to enrolling? It doesn't look like it. Seems like taking away a component that gives some kind of feature parity without another option is a bad idea, but maybe I'm just missing something.
Consistent language for description of permissions
Is there any reference that describes the permissions that can be granted in Defender XDR, and how those permissions can be granted using Entra ID roles, Defender XDR Unified RBAC roles, or through the individual Defender point products that have been integrated into XDR, using consistent, standardized language? The documentation for Entra ID describes permissions in this format: microsoft.directory/provisioningLogs/allProperties/read The documentation for Defender XDR describes them in this format: Security operations \ Security data \ Email advanced actions (manage) I'm basically looking for something that says "permissions to do n function is granted by x role in Entra ID, y role in Defender XDR, or z role in Defender for Office 365." Is this something that's not possible at a company of Microsoft's size and complexity? Kind of like how this is the Microsoft Defender XDR community forum, but there's no "Microsoft Defender XDR" label for the mandatory labeling of posts?Unified RBAC and Entra PIM
I'm interested in any experiences people have had with activating custom Unified RBAC roles using Entra ID PIM. We are currently doing something similar with a custom role in Defender for Office 365 (using these instructions: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) , and my experience has been that it takes up to 50 minutes, after activating the Entra ID PIM group, for the permissions to be applied to Defender. Microsoft support can't decide whether this problem should be addressed by the Entra ID division or the Defender XDR division, and therefore it's not getting addressed. Has anyone configured an Entra ID PIM group with a custom Defender RBAC role (using these instructions: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/configure-just-in-time-access-to-m365-defender/ba-p/3764564) and if so, how well is it working. Thanks in advance!Device Un isolation Issue
We have some issues with endpoints that when they are put into isolation and then trying to remove them isolation it will fail or just be in a pending state. Trying the force unisolation script does not work on these devices as we get a error message "unisolation failed with exit code 2". Has anyone run into these issues? Another thing that I have noticed is when a device is put into isolation it enrolls that device again and shows the same device twice in device inventory.
Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.com console. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I run Get-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.
