Creating Custom Roles with more permissions than specified in Custom Role section?

Vasilije Djurovic 66 Reputation points
2022-12-06T08:28:17.907+00:00

Hello guys,

Just want to ask you if you have any "other way around" to assign more rights for custom role than specified in Roles&Administrators section of Azure? We as a company want to "edit" Security Administrator role and create a new role from Security Administrator permissions? To further explain this issue - we want to create new role because we want to exclude view of machines, alerts and any insight from specific location on Defender and other portals that are bond to Microsoft Security. Can anyone who faced common issue share some experience?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,194 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 27,966 Reputation points Microsoft Employee
    2022-12-09T07:41:08.09+00:00

    @Vasilije Djurovic Thank you for reaching out to us. If I understand correctly you want to create a custom security administrator role in Azure AD ( or would say duplicate of security administrator role minus view of machines, alerts and any insight from specific location on Defender and other portals that are bond to Microsoft Security)

    Unfortunately not all actions/permissions defined in default Security administrator role are available for custom role, I have reviewed all the permissions defined in Security administrator role as mentioned here https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#security-administrator:~:text=premises%20password%20protection.-,Actions,-Description few are not available to make a replica of security administrator role.

    If your end goal is to control the permissions for defender for endpoint portal, you can go MDE portal - Settings - Endpoints - Roles - review the permissions as mentioned in the screenshot and create a RBAC based on it.

    Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/user-roles?view=o365-worldwide

    If this doesnt help, you can post your feedback over here https://feedback.azure.com/d365community/search/?q=security+administrator+custom+role which is closely monitored by our team so that they can work on your feedback and improve the product further.

    268820-image.png

    Let me know if you have any further questions, feel free to post back.

    0 comments
  2. Vasilije Djurovic 66 Reputation points
    2022-12-13T07:55:43.057+00:00

    Hello,

    Thank you for your answer. Will be there soon integration of permissions for Cloud App Security to Microsoft365 Defender portal since integration of two portals is ongoing?

    Best Regards

    0 comments