Microsoft Defender XDR Unified role-based access control (RBAC)
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 P2
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
- Microsoft Security Exposure Management
Microsoft Defender XDR provides integrated threat protection, detection, and response across endpoints, email, identities, applications, and data within a single portal. Controlling a user's permissions around their access to view data or complete tasks is essential for organizations to minimize the risks associated with unauthorized access.
The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across different security solutions.
What's supported by the Microsoft Defender XDR Unified RBAC model
Centralized permissions management is supported for the following solutions:
Solution | Description |
---|---|
Microsoft Defender XDR | Centralized permissions management for Microsoft Defender XDR experiences. |
Microsoft Defender for Endpoint | Full support for all endpoint data and actions. All roles are compatible with the device group's scope as defined on the device groups page. |
Microsoft Defender Vulnerability Management | Centralized permissions management for all Defender Vulnerability Management capabilities. |
Microsoft Defender for Office 365 | Full support for all data and actions. Note:
|
Microsoft Defender for Identity | Full support for all identity data and actions. Note: Defender for Identity experiences also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups. |
Microsoft Defender for Cloud | Support access management for all Defender for Cloud data that is available in Microsoft Defender portal. |
Microsoft Security Exposure Management | Full support for all Exposure Management data and actions, including Microsoft Secure Score data. |
Note
Scenarios and experiences controlled by Compliance permissions are still managed in the Microsoft Purview compliance portal.
This offering isn't currently available for Microsoft Defender for CloudApps.
Before you start
This section provides useful information on what you need to know before you start using Microsoft Defender XDR Unified RBAC.
Permissions prerequisites
You must be a Global Administrator or Security Administrator in Microsoft Entra ID to:
Gain initial access to Permissions and roles in the Microsoft Defender portal.
Manage roles and permissions in Microsoft Defender XDR Unified RBAC.
Create a custom role that can grant access to security groups or individual users to manage roles and permissions in Microsoft Defender XDR unified RBAC. This removes the need for Microsoft Entra global roles to manage permissions. To do this, you need to assign the Authorization permission in Microsoft Defender XDR Unified RBAC. For details on how to assign the Authorization permission, see Create a role to access and manage roles and permissions.
The Microsoft Defender XDR security solution continues to respect existing Microsoft Entra global roles when you activate the Microsoft Defender XDR Unified RBAC model for some or all of your workloads, that is, Global Administrators retain assigned administrator privileges.
Important
Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role.
Migration of existing roles and permissions
The new Microsoft Defender XDR Unified RBAC model provides easy migration of the existing permissions in the individual supported unified RBAC models to the new RBAC model.
All permissions listed within the Microsoft Defender XDR Unified RBAC model align to permissions in the individual RBAC models to ensure backward compatibility. For more information on how the permissions align, see Map permissions in Microsoft Defender XDR unified role-based access control (RBAC).
Activation of the Microsoft Defender XDR Unified RBAC model
You must activate the workloads in Microsoft Defender XDR to use the Microsoft Defender XDR Unified RBAC model. Until activated, Microsoft Defender XDR continues to respect the existing RBAC models. For more information, see Activate Microsoft Defender XDR Unified RBAC.
When you activate some or all of your workloads to use the new permission model, the roles and permissions for these workloads are fully controlled by the Microsoft Defender XDR Unified RBAC model in the Microsoft Defender portal.
Start using Microsoft Defender XDR Unified RBAC model
Use the following steps as a guide to start using the Microsoft Defender XDR Unified RBAC model:
Get started with creating custom roles and importing roles from existing RBAC role models
Activate and manage your roles with the Microsoft Defender XDR Unified RBAC model
Learn more about the Microsoft Defender XDR Unified RBAC model
Watch the following video to see the preceding steps in action:
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.