This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 98%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Up until last week we were able to check out the Security Administrator role in order to take action on a reported email in the defender action center. Now it is greyed out after we check out the role and we are unable to approve or reject actions. For example there is an action to soft delete the emails. Normally i'd go in and approve them with the Security administrator role, but now it is greyed out. We have cleared sessions and restarted browsers etc. We can confirm we have the role, just the permissions are not working the same.
I have the same problem. This MS article states that an Entra ID Security Admin role should be enough: https://learn.microsoft.com/en-us/defender-xdr/m365d-action-center. But for a week or two that is not the case. Does this mean that I need to assign my group a role for "Search and Purge" in Defender? I am using PIM to activate admin roles and this would complicate things.
We got it working by configuring a new role in XDR RBAC
https://learn.microsoft.com/en-us/defender-xdr/create-custom-rbac-roles
then activating the unified RBAC
https://learn.microsoft.com/en-us/defender-xdr/activate-defender-rbac
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 63%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGQ%3C/text%3E%3C/svg%3E)
we got the same issue, and what permissions you grant for the new role?
"all read and manage permissions" if i recall
So I have also configured an Entra ID group with "active" permissions of a Entra ID Security admin and Defender role of Security Management. Users can enable access to this group using Privileged Identity Management. This works but we need to wait 5-10 minutes after enabling access to the group for the Defender role to be activated.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 60%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hi Piotr, may I know how can you perform this on Entra ID?
Assuming that you have the necessary licensing and have experience with Privileged Identity Management on Azure:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 43%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Piotr - thank you for this information. I'm trying to understand your comment so we can build out a similar workflow to ensure our admins activate their role using PIM without having permissions active 24/7. Could you please clarify point 2 and 3 as I'm not understanding the active role to exchange comment and how PIM will enable the additional permissions in Defender?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 14.000000000000002%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
I'm not happy with how Microsoft handled this specific rights assignment and how the explanation found in the link below is written, but this is how we fixed it:
Explanation: https://learn.microsoft.com/en-us/defender-xdr/m365d-action-center
In the Entra ID portal:
In the Security Cental portal:
Remarq: According to this information: https://learn.microsoft.com/en-us/defender-office-365/mdo-portal-permissions
If you activate Defender XDR RBAC for Email & collaboration, the permissions page at https://security.microsoft.com/emailandcollabpermissions is no longer available in the Defender portal, so you need to ensure that you configure or import your roles before you activate Defender XDR Unified RBAC.
(or just disable RBAC by turning of the workflows (slider button to 'off')