Azure user roles and permissions for Defender for IoT
Microsoft Defender for IoT uses Azure Role-Based Access Control (RBAC) to provide access to Enterprise IoT monitoring services and data on the Azure portal.
The built-in Azure Security Reader, Security Admin, Contributor, and Owner roles are relevant for use in Defender for IoT.
This article provides a reference of Defender for IoT actions available for each role in the Azure portal. For more information, see Azure built-in roles.
Roles and permissions reference
Permissions are applied to user roles across an entire Azure subscription, or in some cases, across individual Defender for IoT sites. For more information, see Zero Trust and your OT networks and Manage site-based access control (Public preview).
| Action and scope | Security Reader | Security Admin | Contributor | Owner |
|---|---|---|---|---|
| Grant permissions to others Apply per subscription or site |
- | - | - | ✔ |
| Onboard OT or Enterprise IoT sensors * Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Download OT sensor and on-premises management console software Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Download sensor endpoint details Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Download sensor activation files Apply per subscription only |
- | ✔ | ✔ | ✔ |
| View values on the Plans and pricing page * Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Modify values on the Plans and pricing page * Apply per subscription only |
- | ✔ | ✔ | ✔ |
| View values on the Sites and sensors page * Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Modify values on the Sites and sensors page *, including remote OT sensor updates Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Recover on-premises management console passwords Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Download OT threat intelligence packages Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Push OT threat intelligence updates Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Onboard an Enterprise IoT plan from Microsoft 365 Defender * Apply per subscription only |
- | ✔ | - | - |
| View Azure alerts Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Modify Azure alerts (write access - change status, learn, download PCAP) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Azure device inventory Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Manage Azure device inventory (write access) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Azure workbooks Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Manage Azure workbooks (write access) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Defender for IoT settings Apply per subscription |
✔ | ✔ | ✔ | ✔ |
| Configure Defender for IoT settings Apply per subscription |
- | ✔ | ✔ | ✔ |
Enterprise IoT security
Add, edit, or cancel an Enterprise IoT plan with Defender for Endpoint from Microsoft 365 Defender. Alerts, vulnerabilities, and recommendations for Enterprise IoT networks are also only available from Microsoft 365 Defender.
In addition to the permissions listed above, Enterprise IoT security with Defender for IoT has the following requirements:
- To add an Enterprise IoT plan, you'll need an E5 license and specific permissions in your Microsoft 365 Defender tenant.
- To view Enterprise IoT devices in your Azure device inventory, you'll need an Enterprise IoT network sensor registered.
For more information, see Securing IoT devices in the enterprise.
Next steps
For more information, see:
Feedback
Submit and view feedback for