User roles and permissions

Microsoft Defender for Cloud uses Azure role-based access control (Azure RBAC) to provide built-in roles. You can assign these roles to users, groups, and services in Azure to give users access to resources according to the access defined in the role.

Defender for Cloud assesses the configuration of your resources to identify security issues and vulnerabilities. In Defender for Cloud, you only see information related to a resource when you're assigned one of these roles for the subscription or for the resource group the resource is in: Owner, Contributor, or Reader.

In addition to the built-in roles, there are two roles specific to Defender for Cloud:

  • Security Reader: A user that belongs to this role has read-only access to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but can't make changes.
  • Security Admin: A user that belongs to this role has the same access as the Security Reader and can also update the security policy, and dismiss alerts and recommendations.

We recommend that you assign the least permissive role needed for users to complete their tasks. For example, assign the Reader role to users who only need to view information about the security health of a resource but not take action, such as applying recommendations or editing policies.

Roles and allowed actions

The following table displays roles and allowed actions in Defender for Cloud.

Action Security Reader /
Reader
Security Admin Contributor / Owner Contributor Owner
(Resource group level) (Subscription level) (Subscription level)
Add/assign initiatives (including) regulatory compliance standards) - - -
Edit security policy - - -
Enable / disable Microsoft Defender plans - -
Dismiss alerts - -
Apply security recommendations for a resource
(and use Fix)
- -
View alerts and recommendations
Exempt security recommendations - - -

The specific role required to deploy monitoring components depends on the extension you're deploying. Learn more about monitoring components.

Roles used to automatically provision agents and extensions

To allow the Security Admin role to automatically provision agents and extensions used in Defender for Cloud plans, Defender for Cloud uses policy remediation in a similar way to Azure Policy. To use remediation, Defender for Cloud needs to create service principals, also called managed identities that assign roles at the subscription level. For example, the service principals for the Defender for Containers plan are:

Service Principal Roles
Defender for Containers provisioning AKS Security Profile • Kubernetes Extension Contributor
• Contributor
• Azure Kubernetes Service Contributor
• Log Analytics Contributor
Defender for Containers provisioning Arc-enabled Kubernetes • Azure Kubernetes Service Contributor
• Kubernetes Extension Contributor
• Contributor
• Log Analytics Contributor
Defender for Containers provisioning Azure Policy for Kubernetes • Kubernetes Extension Contributor
• Contributor
• Azure Kubernetes Service Contributor
Defender for Containers provisioning Policy extension for Arc-enabled Kubernetes • Azure Kubernetes Service Contributor
• Kubernetes Extension Contributor
• Contributor

Next steps

This article explained how Defender for Cloud uses Azure RBAC to assign permissions to users and identified the allowed actions for each role. Now that you're familiar with the role assignments needed to monitor the security state of your subscription, edit security policies, and apply recommendations, learn how to: