Merge pull request #1846 from DebLanger/US308919_URBAC

gadi changes

Author: DebLanger

exposure-management/prerequisites.md

@@ -6,7 +6,7 @@ author: dlanger
 manager: rayne-wiselman
 ms.topic: overview
 ms.service: exposure-management
-ms.date: 09/16/2024
+ms.date: 11/11/2024
 ---
 
 # Prerequisites and support
@@ -19,23 +19,51 @@ Security Exposure Management is currently in public preview.
 
 ## Permissions
 
-Permissions are based on [Microsoft Entra ID Roles](/entra/identity/role-based-access-control/custom-overview). You need a tenant with at least one Global Admin or Security Admin to create a Security Exposure Management workspace.
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
 
-- For full Security Exposure Management access, user roles need access to all Defender for Endpoint  [device groups](/microsoft-365/security//defender-endpoint/machine-groups).
-- Users who have access restricted to some of the organization's device groups (and not to all), can:
-    - Access global exposure insights data.
-    - View affected assets under metrics, recommendations, events, and initiatives history only within users' scope
-    - View devices in attack paths that are within the users' scope
-    - Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups to which they have access
+## Manage permissions with Microsoft Defender XDR Unified role-based access control (RBAC)
 
-### Permissions for Security Exposure Management tasks
+[Microsoft Defender XDR Unified role-based access control(RBAC)](/defender-xdr/manage-rbac) allows you to create custom roles with specific permissions for Exposure Management. These permissions are located under the **Security posture** category in Defender XDR Unified RBAC permissions model and are named:
+
+- **Exposure Management (read)** for read-only access 
+- **Exposure Management (manage)** for access to manage Exposure Management experiences
+
+For more sensitive actions in Exposure Management, users need the **Core security settings (manage)** permission which is located under the **Authorization and settings** category.
+
+To access Exposure Management data and actions, a custom role in Defender XDR Unified RBAC with any of the permissions mentioned here, shall be assigned to the **Microsoft Security Exposure Management** data source.
+
+To learn more about using Microsoft Defender XDR Unified RBAC to manage your Secure Score permissions, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
+
+The following table highlights what a user can access or perform with each of the permissions:
+
+|Permission name|Actions|
+| -------- | -------- |
+|**Exposure Management (read)** |Access to all Exposure Management experiences and read access to all available data|
+|**Exposure Management (manage)**|In addition to the read access, the user can set initiative target score, edit metric values, manage recommendations (might require additional permissions related to the specific actions needed to be taken)|
+|**Core security settings (manage)**|Connect or change vendor to the External Attack Surface Management initiative|
+
+For full Microsoft Security Exposure Management access, user roles need access to all Defender for Endpoint [device groups](/microsoft-365/security//defender-endpoint/machine-groups).
+Users with restricted access to some of the organization's device groups can:
+
+- Access global exposure insights data.
+- View affected assets under metrics, recommendations, events, and initiatives history only within their scope.
+- View devices in attack paths that are within their scope.
+- Access the Security Exposure Management attack surface map and advanced hunting schemas (ExposureGraphNodes and ExposureGraphEdges) for the device groups they have access to.
+
+> [!NOTE]
+> Access with manage permissions to **Critical asset management**, under **System> Settings> Microsoft Defender XDR** requires users to have access to all Defender for Endpoint device groups.
+
+## Access with Microsoft Entra ID roles
+
+An alternative to managing access with Microsoft Defender XDR Unified RBAC permissions, access to Microsoft Security Exposure Management data and actions is also possible with [Microsoft Entra ID Roles](/entra/identity/role-based-access-control/custom-overview). You need a tenant with at least one Global Admin or Security Admin to create a Security Exposure Management workspace.
 
 For full access, users need one of the following Microsoft Entra ID roles:
 
 - **Global Admin** (read and write permissions)
-- **Global Reader** (read permissions)
 - **Security Admin** (read and write permissions)
 - **Security Operator** (read and limited write permissions)
+- **Global Reader** (read permissions)
 - **Security Reader** (read permissions)
 
 Permission levels are summarized in the table.
@@ -73,13 +101,11 @@ You can access Security Exposure Management in the Microsoft Defender portal usi
 
     You can check which sensor version a device is running as follows:
 
-    - On a specific device, browse to the MsSense.exe file in
+  - On a specific device, browse to the MsSense.exe file in
 C:\Program Files\Windows Defender Advanced Threat Protection. Right-click the file, and select **Properties**. On the **Details** tab, check the file version.
-    - For multiple devices, it's easier to run an [advanced hunting Kusto query](/defender-xdr/advanced-hunting-query-language) to check device sensor versions, as follows:
-
-        ``` DeviceInfo | project DeviceName, ClientVersion ```
-
+  - For multiple devices, it's easier to run an [advanced hunting Kusto query](/defender-xdr/advanced-hunting-query-language) to check device sensor versions, as follows:
 
+    ``` DeviceInfo | project DeviceName, ClientVersion ```
 
 ## Getting support