services / Azure / Defender for Endpoint onboarding

The Microsoft Defender for Endpoint (MDE) onboarding script/package for the tenant, which embeds a tenant-specific onboarding key used to enroll machines into the organization's Defender tenant.

The onboarding package contains sensitive provisioning material (an embedded onboarding secret/blob), not merely read-only posture metadata.


Microsoft.​Security/​mdeOnboardings/​read

Returns the MDE onboarding script containing the tenant onboarding key/blob, exfiltrating sensitive defense-provisioning material and also revealing EDR deployment configuration.

Risks

Scope: MEDIUM

This privilege may grant access to confidential data, or its exploit can incur operational cost.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Security
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog