Why does Defender require native permissions in ActiveRoles Server?
This is by design.
Permissions need to be applied to the Defender OU for any managed domain account that is going to access Defender objects. Also, any users who need to access Defender information will need 'Read' access to the Defender OU as well to read the license information).
1. Assign read-all properties within ARS to the trustees who need to manage Defender to the 'Defender' OU (no need to sync permissions to AD)
2. Assigning the Defender access templates to both the user objects AND the Defender OU AND sync permissions to AD.
Defender only checks the logged on user account for the computer for access. It does not behave like ARS and perform virtual permission delegation.