Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions

All permissions listed within the Microsoft Defender XDR Unified RBAC model align to existing permissions in the individual RBAC models. Once you activate the Microsoft Defender XDR Unified RBAC model the permissions and assignments configured in your imported roles replace the existing roles in the individual RBAC models.

This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Entra roles map to the roles and permission in the Microsoft Defender XDR Unified RBAC model.

Applies to:

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Map Microsoft Defender XDR Unified RBAC permissions to existing RBAC permissions

Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft Defender XDR Unified RBAC roles:

  1. Map Defender for Endpoint and Defender Vulnerability Management permissions
  2. Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions
  3. Map Microsoft Defender for Identity permissions
  4. Microsoft Entra Global roles access

Map Defender for Endpoint and Defender Vulnerability Management permissions to the Microsoft Defender XDR RBAC permissions

Defender for Endpoint and Defender Vulnerability Management permissions Microsoft Defender XDR Unified RBAC permission
View data - Security operations Security operations \ Security data \ Security data basics (read)
View data - Defender Vulnerability Management Security posture \ Posture management \ Vulnerability management (read)
Alerts investigation Security operations \ Security data \ Alerts (manage)
Active remediation actions - Security operations Security operations \ Security data \ Response (manage)
Active remediation actions - Defender Vulnerability Management - Exception handling Security posture \ Posture management \ Exception handling (manage)
Active remediation actions - Defender Vulnerability Management - Remediation handling Security posture \ posture management \ Remediation handling (manage)
Active remediation actions - Defender Vulnerability Management - Application handling Security posture \ Posture management \ Application handling (manage)
Defender Vulnerability management – Manage security baselines assessment profiles Security posture \ posture management \ Security baselines assessment (manage)
Live response capabilities Security operations \ Basic live response (manage)
Live response capabilities - advanced Security operations \ Advanced live response (manage)
Security operations \ Security data \ File collection (manage)
Manage security settings in the Security Center Authorization and settings \ Security settings \ Core security settings (manage)
Authorization and settings\Security settings \ Detection tuning (manage)
Manage portal system settings Authorization and settings \ System setting (Read and manage)
Manage endpoint security settings in Microsoft Intune Not supported - this permission is managed in the Microsoft Intune admin center

Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions

Use the following tables to learn how your existing Email & collaboration and protection-related Exchange Online permissions for Defender for Office 365 map to the new Microsoft Defender XDR Unified RBAC permissions:

Email & collaboration permissions mapping

You configured Email & collaboration permissions in the Defender portal at https://security.microsoft.com/emailandcollabpermissions.

Email & collaboration permission Type Microsoft Defender XDR Unified RBAC permission
Global Reader Role group Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security settings \ Core security settings (read)
Authorization and settings \ System setting (read)
Organization Management Role group Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (Read and manage)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System settings (Read and manage)
Security Administrator Role group Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Authorization (read)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System settings (Read and manage)
Security Reader Role group Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Security operations \ Security data \ Response (manage)
Authorization and settings \ Security settings \ Core security settings (read)
Authorization and settings \ System setting (read)
Audit Logs Role Security operations \ Security data \ Security data basics (read)
Manage Alerts Role Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Preview Role Security operations\ Security operations \ Raw data (Email & collaboration) \ Email & collaboration content (read)
Quarantine Role Security operations \ Security data \ Email quarantine (manage)
Role Management Role Authorization and settings \ Authorization (Read and manage)
Search and Purge Role Security operations \ Security data \ Email advanced actions (manage)
View-Only Manage Alerts Role Security operations \ Security data \ Security data basics (read)
View-Only Recipients Role Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
View-only Audit Logs Role Security operations \ Security data \ Security data basics (read)

Exchange Online permissions mapping

You configured protection-related Exchange Online permissions in the Exchange admin center (EAC) at https://admin.exchange.microsoft.com/#/adminRoles.

Exchange Online permission Type Microsoft Defender XDR Unified RBAC permission
Hygiene Management Role group Security operations \ Security data \ Email quarantine (manage)
Authorization and settings \ Security settings \ Core security settings (manage)
Authorization and settings \ Security settings \ Detection tuning (manage)
Organization Management Role group Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read)
Authorization and settings \ Security settings \ Core security settings (manage)
Authorization and settings \ Security settings \ Detection tuning (manage)
Authorization and settings \ System settings (Read and manage)
Security Administrator Role group Authorization and settings \ Security settings \ Detection tuning (manage)
Authorization and settings \ System settings (Read and manage)
View-Only Organization Management Role group Authorization and settings \ Security settings (Read-only)
Authorization and settings \ System settings (Read-only)
Tenant AllowBlockList Manager Role Authorization and settings \ Security settings \ Detection tuning (manage)
View-only Recipients Role Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read)

Map Microsoft Defender for Identity permissions to the Microsoft Defender XDR Unified RBAC permissions

Defender for Identity permission Defender XDR Unified RBAC permission
MDI admin Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Authorization and settings \ Authorization (Read and manage)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System settings (Read and manage)
MDI user Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Authorization and settings \ Security setting (All permissions)
Authorization and settings \ System setting (read)
MDI viewer Security operations \ Security data \ Security data basics (read)
Authorization and settings \ Security settings \ Core security settings (read)
Authorization and settings \ System setting (read)

Note

Defender for Identity experiences will also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups. Exception: If you have configured Scoped deployment for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.

Microsoft Entra Global roles access

Users assigned with Microsoft Entra global roles may also have access to the Microsoft Defender portal.

Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender Vulnerability Management, Defender for Office and Defender for Identity) in Microsoft Defender XDR Unified RBAC to each global Microsoft Entra role.

Microsoft Entra role Microsoft Defender XDR Unified RBAC assigned permissions for all workloads Microsoft Defender XDR Unified RBAC assigned permissions – workload specific
Global administrator Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Security data \ Response (manage)
Security posture \ Posture management \ Secure Score (read)
Security posture \ Posture management \ Secure Score (manage)
Authorization and settings \ Authorization (Read and manage)
Authorization and settings \ Security settings (All permissions)
Authorization and settings \ System settings (Read and manage)
Defender for Endpoint and Defender Vulnerability Management permissions only permissions
Security operations \ Basic live response (manage)
Security operations \ Advanced live response (manage)
Security operations \ Security data \ File collection (manage)
Security posture \ Posture management \ Vulnerability management (read)
Security posture \ Posture management \ Exception handling (manage)
Security posture \ Posture management \ Remediation handling (manage)
Security posture \ Posture management \ Application handling (manage)
Security posture \ Posture management \ Security baseline assessment (manage)

Defender for Office only permissions
Security operations \ Security data \ Email quarantine (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Security administrator Same as Global administrator Same as Global administrator
Global reader Security operations \ Security data \ Security data basics (read)
Security posture \ Posture management \ Secure Score (read)
Defender for Endpoint and Defender Vulnerability Management permissions only permissions
Security posture \ Posture management \ Vulnerability management (read)

Defender for Office only permissions
Security operations \ Security data \ Response (manage)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Authorization and settings \ Authorization (read)

Defender for Office and Defender for Identity only permissions
Authorization and settings \ Security settings \ Core security settings (read)
Authorization and settings \ System settings (read)
Security reader Security operations \ Security data \ Security data basics (read)
Security posture \ Posture management \ Secure Score (read)
Defender for Endpoint and Defender Vulnerability Management permissions only permissions
Security posture \ Posture management \ Vulnerability management (read)

Defender for Office only permissions
Security operations \ Security data \ Response (manage)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)

Defender for Office and Defender for Identity only permissions
Authorization and settings \ Security settings \ Core security settings (read)
Authorization and settings \ System settings (read)
Security operator Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Security data \ Response (manage)
Security posture \ Posture management \ Secure Score (read)
Authorization and settings \ Security settings (All permissions)
Defender for Endpoint and Defender Vulnerability Management permissions only permissions
Security operations \ Security data \ Basic live response (manage)
Security operations \ Security data \ Advanced live response (manage)
Security operations \ Security data \ File collection (manage)
Security posture \ Posture management \ Vulnerability management (read)
Security posture \ Posture management \ Exception handling (manage)
Security posture \ Posture management \ Remediation handling (manage)

Defender for Office only permissions
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Authorization and settings \ System settings (Read and manage)

Defender for Identity only permissions
Authorization and settings \ System settings (read)
Exchange Administrator Security posture \ Posture management \ Secure Score (read)
Security posture \ Posture management \ Secure Score (manage)
Defender for Office only permissions
Security operations \ Security data \ Security data basic (read)
Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read)
Authorization and settings \ System settings (Read and manage)
SharePoint Administrator Security posture \ Posture management \ Secure Score (read)
Security posture \ Posture management \ Secure Score (manage)
not applicable
Service Support Administrator Security posture \ Posture management \ Secure Score (read) not applicable
User Administrator Security posture \ Posture management \ Secure Score (read) not applicable
HelpDesk Administrator Security posture \ Posture management \ Secure Score (read) not applicable
Compliance administrator not applicable Defender for Office only permissions
Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Compliance data administrator not applicable Same as Compliance administrator
Billing admin not applicable not applicable

Note

By activating the Microsoft Defender XDR Unified RBAC model, users with Security Reader and Global Reader roles can access Defender for Endpoint data.

Next steps

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.