Microsoft Defender for Identity role groups

Microsoft Defender for Identity offers role-based security to safeguard data according to your organization's specific security and compliance needs. We recommend that you use role groups to manage access to Defender for Identity, segregating responsibilities across your security team and granting only the amount of access that users need to do their jobs.

Unified role-based access control (RBAC)

Users that are already Global Administrators or Security Administrators on your tenant's Microsoft Entra ID are also automatically Defender for Identity administrator. Microsoft Entra Global and Security Administrators don't need extra permissions to access Defender for Identity.

For other users, enable and use Microsoft 365 role-based access control (RBAC) to create custom roles and to support more Entra ID roles such as Security operator or Security Reader by default to manage access to Defender for Identity.

When creating your custom roles, make sure that you apply the permissions listed in the following table:

Defender for Identity access level Minimum required Microsoft 365 unified RBAC permissions
Administrators - Authorization and settings/Security settings/Read
- Authorization and settings/Security settings/All permissions
- Authorization and settings/System settings/Read
- Authorization and settings/System settings/All permissions
- Security operations/Security data/Alerts (manage)
-Security operations/Security data /Security data basics (Read)
- Authorization and settings/Authorization/All permissions
- Authorization and settings/Authorization/Read
Users - Security operations/Security data /Security data basics (Read)
- Authorization and settings/System settings/Read
- Authorization and settings/Security settings/Read
- Security operations/Security data/Alerts (manage)
- microsoft.xdr/configuration/security/manage
Viewers - Security operations/Security data /Security data basics (Read)
- Authorization and settings / System settings (Read and manage)
- Authorization and settings / Security setting (All permissions)

For more information, see Custom roles in role-based access control for Microsoft Defender XDR and Create custom roles with Microsoft Defender XDR Unified RBAC.

Note

Information included from the Defender for Cloud Apps activity log may still contain Defender for Identity data. This content adheres to existing Defender for Cloud Apps permissions.

Exception: If you have configured Scoped deployment for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over and you will have to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.

Required permissions Defender for Identity in Microsoft Defender XDR

The following table details the specific permissions required for Defender for Identity activities in Microsoft Defender XDR.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Activity Least required permissions
Onboard Defender for Identity (create workspace) Security Administrator
Configure Defender for Identity settings One of the following Microsoft Entra roles:
- Security Administrator
- Security Operator
Or
The following Unified RBAC permissions:
- Authorization and settings/Security settings/Read
- Authorization and settings/Security settings/All permissions
- Authorization and settings/System settings/Read
- Authorization and settings/System settings/All permissions
View Defender for Identity settings One of the following Microsoft Entra roles:
- Global Reader
- Security Reader
Or
The following Unified RBAC permissions:
- Authorization and settings/Security settings/Read
- Authorization and settings/System settings/Read
Manage Defender for Identity security alerts and activities One of the following Microsoft Entra roles:
- Security Operator
Or
The following Unified RBAC permissions:
- Security operations/Security data/Alerts (Manage)
- Security operations/Security data /Security data basics (Read)
View Defender for Identity security assessments
(now part of Microsoft Secure Score)
Permissions to access Microsoft Secure Score
And
The following Unified RBAC permissions: Security operations/Security data /Security data basics (Read)
View the Assets / Identities page Permissions to access Defender for Cloud Apps
Or
One of the Microsoft Entra roles required by Microsoft Defender XDR
Perform Defender for Identity response actions A custom role defined with permissions for Response (manage)
Or
One of the following Microsoft Entra roles:
- Security Operator

Defender for Identity security groups

Defender for Identity provides the following security groups to help manage access to Defender for Identity resources:

  • Azure ATP (workspace name) Administrators
  • Azure ATP (workspace name) Users
  • Azure ATP (workspace name) Viewers

The following table lists the activities available for each security group:

Activity Azure ATP (workspace name) Administrators Azure ATP (Workspace name) Users Azure ATP (Workspace name) Viewers
Change health issue status Available Not available Not available
Change security alert status (reopen, close, exclude, suppress) Available Available Not available
Delete workspace Available Not available Not available
Download a report Available Available Available
Sign in Available Available Available
Share/Export security alerts (via email, get link, download details) Available Available Available
Update Defender for Identity configuration (updates) Available Not available Not available
Update Defender for Identity configuration (entity tags, including both sensitive and honeytoken) Available Available Not available
Update Defender for Identity configuration (exclusions) Available Available Not available
Update Defender for Identity configuration (language) Available Available Not available
Update Defender for Identity configuration (notifications, including both email and syslog) Available Available Not available
Update Defender for Identity configuration (preview detections) Available Available Not available
Update Defender for Identity configuration (scheduled reports) Available Available Not available
Update Defender for Identity configuration (data sources, including directory services, SIEM, VPN, Defender for Endpoint) Available Not available Not available
Update Defender for Identity configuration (sensor management, including downloading software, regenerating keys, configuring, deleting) Available Not available Not available
View entity profiles and security alerts Available Available Available

Add and remove users

Defender for Identity uses Microsoft Entra security groups as a basis for role groups.

Manage your role groups from Groups management page on the Azure portal. Only Microsoft Entra users can be added or removed from security groups.

Next step