Roles and permissions in Microsoft Sentinel

This article explains how Microsoft Sentinel assigns permissions to user roles and identifies the allowed actions for each role. Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure.

Use Azure RBAC to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly (see note below), or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits.

Roles and permissions for working in Microsoft Sentinel

Microsoft Sentinel-specific roles

All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace.

Note

  • For best results, assign these roles to the resource group that contains the Microsoft Sentinel workspace. This way, the roles apply to all the resources that support Microsoft Sentinel, as those resources should also be placed in the same resource group.

  • As another option, assign the roles directly to the Microsoft Sentinel workspace itself. If you do this, you must also assign the same roles to the SecurityInsights solution resource in that workspace. You may need to assign them to other resources as well, and you will need to constantly manage role assignments to resources.

Other roles and permissions

Users with particular job requirements may need to be assigned other roles or specific permissions in order to accomplish their tasks.

  • Working with playbooks to automate responses to threats

    Microsoft Sentinel uses playbooks for automated threat response. Playbooks are built on Azure Logic Apps, and are a separate Azure resource. For specific members of your security operations team, you might want to assign the ability to use Logic Apps for Security Orchestration, Automation, and Response (SOAR) operations. You can use the Logic App Contributor role to assign explicit permission for using playbooks.

  • Giving Microsoft Sentinel permissions to run playbooks

    Microsoft Sentinel uses a special service account to run incident-trigger playbooks manually or to call them from automation rules. The use of this account (as opposed to your user account) increases the security level of the service.

    For an automation rule to run a playbook, this account must be granted explicit permissions to the resource group where the playbook resides. At that point, any automation rule can run any playbook in that resource group. To grant these permissions to this service account, your account must have Owner permissions to the resource groups containing the playbooks.

  • Connecting data sources to Microsoft Sentinel

    For a user to add data connectors, you must assign the user write permissions on the Microsoft Sentinel workspace. Note the required extra permissions for each connector, as listed on the relevant connector page.

  • Guest users assigning incidents

    If a guest user needs to be able to assign incidents, you need to assign the Directory Reader to the user, in addition to the Microsoft Sentinel Responder role. Note that the Directory Reader role is not an Azure role but an Azure Active Directory role, and that regular (non-guest) users have this role assigned by default.

  • Creating and deleting workbooks

    To create and delete a Microsoft Sentinel workbook, the user needs either the Microsoft Sentinel Contributor role or a lesser Microsoft Sentinel role, together with the Workbook Contributor Azure Monitor role. This role isn't necessary for using workbooks, only for creating and deleting.

Azure and Log Analytics roles you might see assigned

When you assign Microsoft Sentinel-specific Azure roles, you may come across other Azure and Log Analytics roles that may have been assigned to users for other purposes. Note that these roles grant a wider set of permissions that include access to your Microsoft Sentinel workspace and other resources:

For example, a user assigned the Microsoft Sentinel Reader role, but not the Microsoft Sentinel Contributor role, can still edit items in Microsoft Sentinel, if that user is also assigned the Azure-level Contributor role. Therefore, if you want to grant permissions to a user only in Microsoft Sentinel, carefully remove this user’s prior permissions, making sure you do not break any needed access to another resource.

Microsoft Sentinel roles, permissions, and allowed actions

This table summarizes the Microsoft Sentinel roles and their allowed actions in Microsoft Sentinel.

Role Create and run playbooks Create and edit analytics rules, workbooks, and other Microsoft Sentinel resources Manage incidents (dismiss, assign, etc.) View data, incidents, workbooks, and other Microsoft Sentinel resources
Microsoft Sentinel Reader -- --* --
Microsoft Sentinel Responder -- --*
Microsoft Sentinel Contributor --
Microsoft Sentinel Contributor + Logic App Contributor

* Users with these roles can create and delete workbooks with the Workbook Contributor role. Learn about Other roles and permissions.

Review the role recommendations for which roles to assign to which users in your SOC.

Custom roles and advanced Azure RBAC

Role and permissions recommendations

After understanding how roles and permissions work in Microsoft Sentinel, you can review these best practices for applying roles to your users:

User type Role Resource group Description
Security analysts Microsoft Sentinel Responder Microsoft Sentinel's resource group View data, incidents, workbooks, and other Microsoft Sentinel resources.

Manage incidents, such as assigning or dismissing incidents.
Logic Apps Operator Microsoft Sentinel's resource group, or the resource group where your playbooks are stored Attach playbooks to analytics and automation rules.
Run playbooks.
Security engineers Microsoft Sentinel Contributor Microsoft Sentinel's resource group View data, incidents, workbooks, and other Microsoft Sentinel resources.

Manage incidents, such as assigning or dismissing incidents.

Create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.
Logic Apps Contributor Microsoft Sentinel's resource group, or the resource group where your playbooks are stored Attach playbooks to analytics and automation rules.
Run and modify playbooks.
Service Principal Microsoft Sentinel Contributor Microsoft Sentinel's resource group Automated configuration for management tasks

Tip

More roles may be required depending on the data you ingest or monitor. For example, Azure AD roles may be required, such as the global admin or security admin roles, to set up data connectors for services in other Microsoft portals.

Next steps

In this article, you learned how to work with roles for Microsoft Sentinel users and what each role enables users to do.

Find blog posts about Azure security and compliance at the Microsoft Sentinel Blog.