Thanks, Sergg for the suggestion, because that was the quest that led me here.
Hopefully, I can give back and help everyone with a few things on Defender for Office (MDO), Defender for Identity (MDI), and Cloud App Security (MCAS) access via guest accounts:
- MDO, MDI, and MCAS are all surfacing their alerts for viewing and management in the M365 Security Portal which is also the MDE portal (as far as Azure AD authentication is concerned), so the solution proposed above by Sergg of using https://security.microsoft.com/?tid=customer_tenant_id) should help with getting to that. If you manage the alerts there, the status will also be updated in the MDI, MDO, and MCAS source portals.
- Unfortunately, MCAS currently still has per-user admin role provisioning within its own portal, but it also honors some built-in Azure AD roles, Global Admin, Security Admin, Compliance Admin, Compliance Data Admin, Security Operator, Security Reader, and Global Reader, as described here: Manage admin access to the Cloud App Security portal | Microsoft Docs This may spare you some challenges with provisioning MCAS access.
- MCAS portal can be accessed by guest accounts, but it requires a different "tenant hint" trick than the tenant id URL parameter above. Instead, you simply must go to the tenant specific MCAS portal URL of https://contoso.portal.cloudappsecurity.com
- Defender for Identity (aka MDI and formerly Azure ATP) role-based access is governed by 3 groups created in your Azure AD directory when you create the MDI instance; Azure ATP (instance name) Administrators, Azure ATP (instance name) Users, and Azure ATP (instance name) Viewers. More here: Microsoft Defender for Identity role groups for access management | Microsoft Docs
- MDI portal can also be accessed by guest accounts similar to MCAS, using its tenant-specific portal URL of https://contoso.atp.azure.com.
Hope this help. Happy hunting, everyone!
Microsoft