Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)
In Microsoft Defender XDR Unified role-based access control (RBAC) you can select permissions from each permission group to customize a role.
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 P2
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
Microsoft Defender XDR Unified RBAC permission details
The following table lists the permissions available to configure for your users based on the tasks they need to do:
Note
Unless otherwise stated, all permissions are applicable to all supported workloads and will be applied to the data scope selected during the data source and assignment stage.
Security operations – Security data
Permissions for managing day-to-day operations and responding to incidents and advisories.
| Permission name | Level | Description |
|---|---|---|
| Security data basics | Read | View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports. |
| Alerts | Manage | Manage alerts, start automated investigations, run scans, collect investigation packages, and manage device tags. |
| Response | Manage | Take response actions, approve or dismiss pending remediation actions, and manage blocked and allowed lists for automation. |
| Basic live response | Manage | Initiate a live response session, download files, and perform read-only actions on devices remotely. |
| Advanced live response | Manage | Create live response sessions and perform advanced actions, including uploading files and running scripts on devices remotely. |
| File collection | Manage | Collect or download relevant files for analysis, including executable files. |
| Email & collaboration quarantine | Manage | View and release email from quarantine. |
| Email & collaboration advanced actions | Manage | Move or Delete email to the junk email folder, deleted items or inbox, including soft and hard delete of email. |
Security operations – Raw data (Email & collaboration)
| Permission name | Level | Description |
|---|---|---|
| Email & collaboration metadata | Read | View email and collaboration data in a hunting scenarios, including advanced hunting, threat explorer, campaigns, and email entity. |
| Email & collaboration content | Read | View and download email content and attachments. |
Security posture – Posture management
Permissions for managing the organization's security posture and performing vulnerability management.
| Permission name | Level | Description |
|---|---|---|
| Vulnerability management | Read | View Defender Vulnerability Management data for the following: software and software inventory, weaknesses, missing KBs, advanced hunting, security baselines assessment, and devices. |
| Exception handling | Manage | Create security recommendation exceptions and manage active exceptions in Defender Vulnerability Management. |
| Remediation handling | Manage | Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management. |
| Application handling | Manage | Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management. |
| Security baseline assessment | Manage | Create and manage profiles so you can assess if your devices comply to security industry baselines. |
| Secure Score | Read / Manage | Manage permissions to Secure Score data including which users have access to the data and the products for which they will see Secure Score data. |
Authorization and settings
Permissions to manages the security and system settings and to create and assign roles.
| Permission name | Level | Description |
|---|---|---|
| Authorization | Read / Manage | View or manage device groups, and custom and built-in roles. |
| Core security settings | Read / Manage | View or manage core security settings for the Microsoft Defender portal. |
| Detection tuning | Manage | Manage tasks related to detections in the Microsoft Defender portal including Custom detections, Alerts Tuning and Threat Indicators of compromise. |
| System settings | Read / Manage | View or manage general systems settings for the Microsoft Defender portal. |
Next steps
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for