Custom roles in role-based access control for Microsoft Defender XDR
Note
Microsoft Defender XDR users can now take advantage of a centralized permissions management solution to control user access and permissions across different Microsoft security solutions. Learn more about the Microsoft Defender XDR Unified role-based access control (RBAC).
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Applies to:
- Microsoft Defender XDR
There are two types of roles that can be used to access to Microsoft Defender XDR:
- Global Microsoft Entra roles
- Custom roles
Access to Microsoft Defender XDR can be managed collectively by using Global roles in Microsoft Entra ID
If you need greater flexibility and control over access to specific product data, Microsoft Defender XDR access can also be managed with the creation of Custom roles through each respective security portal.
For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft Defender portal.
Users with existing Custom roles can access data in the Microsoft Defender portal according to their existing workload permissions with no additional configuration required.
Create and manage custom roles
Custom roles and permissions can be created and individually managed through each of the following security portals:
- Microsoft Defender for Endpoint – Edit roles in Microsoft Defender for Endpoint
- Microsoft Defender for Office 365 – Permissions in the Security & Compliance Center
- Microsoft Defender for Cloud Apps – Manage admin access
Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.
Tip
Permissions and roles can also be accessed through the Microsoft Defender portal by selecting Permissions & roles from the navigation pane. Access to Microsoft Defender for Cloud Apps is managed through the Defender for Cloud Apps portal and controls access to Microsoft Defender for Identity as well. See Microsoft Defender for Cloud Apps
Note
Custom roles created in Microsoft Defender for Cloud Apps have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Defender for Cloud Apps roles are not able to access Microsoft Defender for Cloud Apps data through the Microsoft Defender portal.
Manage permissions and roles in the Microsoft Defender portal
Permissions and roles can also be managed in the Microsoft Defender portal:
- Sign in to the Microsoft Defender portal at security.microsoft.com.
- In the navigation pane, select Permissions & roles.
- Under the Permissions header, select Roles.
Note
This only applies to Defender for Office 365 and Defender for Endpoint. Access for other workloads must be done in their relevant portals.
Required roles and permissions
The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table refer to custom roles in individual portals and aren't connected to global roles in Microsoft Entra ID, even if similarly named.
Note
Incident management requires management permissions for all products that are part of the incident.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Microsoft Defender XDR workload | One of the following roles is required for Defender for Endpoint | One of the following roles is required for Defender for Office 365 | One of the following roles is required for Defender for Cloud Apps and Defender for Identity | One of the following roles is required for Microsoft Defender for Cloud |
---|---|---|---|---|
Viewing investigation data:
|
View data- security operations |
|
|
|
Viewing hunting data, saving, editing, and deleting hunting queries and functions | View data- security operations |
|
|
|
Managing alerts and incidents | Alerts investigation |
|
|
|
Action center remediation | Active remediation actions – security operations | Search and purge |
|
|
Setting custom detections | Manage security settings |
|
|
|
Threat Analytics | Alerts and incidents data:
|
Alerts and incidents data:
|
|
|
For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.
Similarly, to view hunting data from Microsoft Defender for Office 365, users would require one of the following roles:
- View data security operations
- Security reader
- Security admin
- View-only recipients
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.