Microsoft Defender XDR Unified role-based access control (RBAC)

Applies to:

Microsoft Defender XDR provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. Controlling a user's permissions around their access to view data or complete tasks is essential for organizations to minimize the risks associated with unauthorized access.

The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across different security solutions.

What's supported by the Microsoft Defender XDR Unified RBAC model

Centralized permissions management is supported for the following solutions:

Solution Description
Microsoft Defender XDR Centralized permissions management for Microsoft Defender XDR experiences.
Microsoft Defender for Endpoint Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page.
Microsoft Defender Vulnerability Management Centralized permissions management for all Defender Vulnerability Management capabilities.
Microsoft Defender for Office 365 Full support for all data and actions.

Note:
  • Initially, the Microsoft Defender XDR RBAC model is available only for organizations with Microsoft Defender for Office 365 Plan 2 licenses (trial licenses aren't supported).
  • Granular delegated admin privileges (GDAP) aren't supported.
  • Exchange Online PowerShell and Security & Compliance PowerShell continue to use Exchange Online roles and Email & Collaboration roles. Microsoft Defender XDR Unified RBAC doesn't affect Exchange Online PowerShell or Security & Compliance PowerShell.
  • Azure B2B invited guests aren't supported by all experiences that were previously under Exchange Online RBAC.
Microsoft Defender for Identity Full support for all identity data and actions.

Note: Defender for Identity experiences also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups.
Microsoft Defender for Cloud Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.
Microsoft Security Exposure Management Full support for all Exposure Management data and actions, including Microsoft Secure Score data.

Note

Scenarios and experiences controlled by Compliance permissions are still managed in the Microsoft Purview compliance portal.

This offering isn't currently available for Microsoft Defender for CloudApps.

Before you start

This section provides useful information on what you need to know before you start using Microsoft Defender XDR Unified RBAC.

Permissions prerequisites

  • You must be a Global Administrator or Security Administrator in Microsoft Entra ID to:

    • Gain initial access to Permissions and roles in the Microsoft Defender portal.

    • Manage roles and permissions in Microsoft Defender XDR Unified RBAC.

    • Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This removes the need for Microsoft Entra global roles to manage permissions. To do this, you need to assign the Authorization permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see Create a role to access and manage roles and permissions.

  • The Microsoft Defender XDR security solution continues to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads, that is, Global Administrators retain assigned administrator privileges.

Important

Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role.

Migration of existing roles and permissions

The new Microsoft Defender XDR Unified RBAC model provides easy migration of the existing permissions in the individual supported unified RBAC models to the new RBAC model.

All permissions listed within the Microsoft Defender XDR Unified RBAC model align to permissions in the individual RBAC models to ensure backward compatibility. For more information on how the permissions align, see Map permissions in Microsoft Defender XDR unified role-based access control (RBAC).

Activation of the Microsoft Defender XDR Unified RBAC model

You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR continues to respect the existing RBAC models. For more information, see Activate Microsoft Defender XDR Unified RBAC.

When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads are fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.

Start using Microsoft Defender XDR Unified RBAC model

Use the following steps as a guide to start using the Microsoft Defender XDR Unified RBAC model:

  1. Get started with creating custom roles and importing roles from existing RBAC role models

  2. Activate and manage your roles with the Microsoft Defender XDR Unified RBAC model

  3. Learn more about the Microsoft Defender XDR Unified RBAC model

Watch the following video to see the preceding steps in action:

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.