services / Azure / Defender for Endpoint onboarding
The Microsoft Defender for Endpoint (MDE) onboarding script/package for the tenant, which embeds a tenant-specific onboarding key used to enroll machines into the organization's Defender tenant.
The onboarding package contains sensitive provisioning material (an embedded onboarding secret/blob), not merely read-only posture metadata.
Microsoft.Security/mdeOnboardings/read
Returns the MDE onboarding script containing the tenant onboarding key/blob, exfiltrating sensitive defense-provisioning material and also revealing EDR deployment configuration.
Risks
Scope: MEDIUM
This privilege may grant access to confidential data, or its exploit can incur operational cost.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog