What Changed

The post-deployment setup instructions for the Isolate-MDEMachine Playbook previously directed operators to grant only the Machine.Isolate application permission to the managed identity. This was insufficient.

The Playbook performs a device lookup by hostname before issuing the isolation call. That lookup requires Machine.Read.All (or Machine.ReadWrite.All). Without it, the Playbook fails at runtime with a Forbidden error: Missing application roles. API required roles: Machine.Read.All,Machine.ReadWrite.All, application roles: Machine.Isolate.

The fix updates the PowerShell provisioning snippet in readme.md to loop over both Machine.Isolate and Machine.Read.All, and adds an inline warning note explaining the dependency.

Security Impact

Any environment that configured the managed identity using only the prior instructions has had zero device isolation capability – alerts would appear to trigger the Playbook but no isolation action would complete. The operational blind spot here is not detection; it is automated response failure.

Remediation: Re-run the updated PowerShell snippet to add Machine.Read.All to the managed identity. No logic changes are required; this is a permissions provisioning correction only.

Affected Files

Solutions/MicrosoftDefenderForEndpoint/Playbooks/Isolate-MDEMachine/readme.md