I mean, I like the ability to check the security status of each of my tenants, that's great, but the ability to just disable CA policies on my clients? I reserve these settings for privileged accounts that are behind FIDO2 auth, not someone who has access to IPSM.

Literally the compromise of a single Huntress account could mean the compromise of all my clients in one go.

I have strong MFA/CA controls for SSO into Huntress, and then... TOTP as a second factor of auth, but I bet not everyone is doing that.

I could see Huntress being a threat actor's way into compromising multiple client accounts with the feature the way it is.

Agreed on this also - we have just enabled IPSM and it would be useful if we could hide IPSM for some of our Support Techs whilst it's in early access.

It would be good to remove our own internal organisation from "Security Engineers" visibility as we would prefer to restrict access for our site. Customer sites are fine.

Good shout and similar to another suggestion here. We do have RBAC but they are set to either Admin or Read-only type roles in ISPM at the minute. Many of the things we do in ISPM can have a wide impact on the tenant so it might be challenging to draw the line. But I'm happy to take a look with the team and see what's possible.

Hey Randall, This would be handled by the roles in the Huntress portal.

Any controls which can change or deploy Conditional Access policies, or enforce Security Controls have been restricted to the 'admins' and 'security engineer' roles.

So Helpdesk Engineers or other team members can have a different role which does not have the permissions to make changes.