Microsoft Defender for Identity role groups
Microsoft Defender for Identity offers role-based security to safeguard data according to your organization's specific security and compliance needs. We recommend that you use role groups to manage access to Defender for Identity, segregating responsibilities across your security team and granting only the amount of access that users need to do their jobs.
Unified role-based access control (RBAC)
Users that are already Global Administrators or Security Administrators on your tenant's Microsoft Entra ID are also automatically Defender for Identity administrator. Microsoft Entra Global and Security Administrators don't need extra permissions to access Defender for Identity.
For other users, enable and use Microsoft 365 role-based access control (RBAC) to create custom roles and to support more Entra ID roles such as Security operator or Security Reader by default to manage access to Defender for Identity.
When creating your custom roles, make sure that you apply the permissions listed in the following table:
| Defender for Identity access level | Minimum required Microsoft 365 unified RBAC permissions |
|---|---|
| Administrators | - Authorization and settings/Security settings/Read - Authorization and settings/Security settings/All permissions - Authorization and settings/System settings/Read- Authorization and settings/System settings/All permissions- Security operations/Security data/Alerts (manage)- Security operations/Security data /Security data basics (Read)- Authorization and settings/Authorization/All permissions - Authorization and settings/Authorization/Read |
| Users | - Security operations/Security data /Security data basics (Read)- Authorization and settings/System settings/Read- Authorization and settings/Security settings/Read- Security operations/Security data/Alerts (manage)- microsoft.xdr/configuration/security/manage |
| Viewers | - Security operations/Security data /Security data basics (Read)- Authorization and settings / System settings (Read and manage) - Authorization and settings / Security setting (All permissions) |
For more information, see Custom roles in role-based access control for Microsoft Defender XDR and Create custom roles with Microsoft Defender XDR Unified RBAC.
Note
Information included from the Defender for Cloud Apps activity log may still contain Defender for Identity data. This content adheres to existing Defender for Cloud Apps permissions.
Exception: If you have configured Scoped deployment for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
Required permissions Defender for Identity in Microsoft Defender XDR
The following table details the specific permissions required for Defender for Identity activities in Microsoft Defender XDR.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
| Activity | Least required permissions |
|---|---|
| Onboard Defender for Identity (create workspace) | Security Administrator |
| Configure Defender for Identity settings | One of the following Microsoft Entra roles: - Security Administrator - Security Operator Or The following Unified RBAC permissions: - Authorization and settings/Security settings/Read- Authorization and settings/Security settings/All permissions- Authorization and settings/System settings/Read- Authorization and settings/System settings/All permissions |
| View Defender for Identity settings | One of the following Microsoft Entra roles: - Global Reader - Security Reader Or The following Unified RBAC permissions: - Authorization and settings/Security settings/Read - Authorization and settings/System settings/Read |
| Manage Defender for Identity security alerts and activities | One of the following Microsoft Entra roles: - Security Operator Or The following Unified RBAC permissions: - Security operations/Security data/Alerts (Manage)- Security operations/Security data /Security data basics (Read) |
| View Defender for Identity security assessments (now part of Microsoft Secure Score) |
Permissions to access Microsoft Secure Score And The following Unified RBAC permissions: Security operations/Security data /Security data basics (Read) |
| View the Assets / Identities page | Permissions to access Defender for Cloud Apps Or One of the Microsoft Entra roles required by Microsoft Defender XDR |
| Perform Defender for Identity response actions | A custom role defined with permissions for Response (manage) Or One of the following Microsoft Entra roles: - Security Operator |
Defender for Identity security groups
Defender for Identity provides the following security groups to help manage access to Defender for Identity resources:
- Azure ATP (workspace name) Administrators
- Azure ATP (workspace name) Users
- Azure ATP (workspace name) Viewers
The following table lists the activities available for each security group:
| Activity | Azure ATP (workspace name) Administrators | Azure ATP (Workspace name) Users | Azure ATP (Workspace name) Viewers |
|---|---|---|---|
| Change health issue status | Available | Not available | Not available |
| Change security alert status (reopen, close, exclude, suppress) | Available | Available | Not available |
| Delete workspace | Available | Not available | Not available |
| Download a report | Available | Available | Available |
| Sign in | Available | Available | Available |
| Share/Export security alerts (via email, get link, download details) | Available | Available | Available |
| Update Defender for Identity configuration (updates) | Available | Not available | Not available |
| Update Defender for Identity configuration (entity tags, including both sensitive and honeytoken) | Available | Available | Not available |
| Update Defender for Identity configuration (exclusions) | Available | Available | Not available |
| Update Defender for Identity configuration (language) | Available | Available | Not available |
| Update Defender for Identity configuration (notifications, including both email and syslog) | Available | Available | Not available |
| Update Defender for Identity configuration (preview detections) | Available | Available | Not available |
| Update Defender for Identity configuration (scheduled reports) | Available | Available | Not available |
| Update Defender for Identity configuration (data sources, including directory services, SIEM, VPN, Defender for Endpoint) | Available | Not available | Not available |
| Update Defender for Identity configuration (sensor management, including downloading software, regenerating keys, configuring, deleting) | Available | Not available | Not available |
| View entity profiles and security alerts | Available | Available | Available |
Add and remove users
Defender for Identity uses Microsoft Entra security groups as a basis for role groups.
Manage your role groups from Groups management page on the Azure portal. Only Microsoft Entra users can be added or removed from security groups.