Edit

Share via


Manage portal access using role-based access control

Note

If you are running the Microsoft Defender XDR preview program you can now experience the new Microsoft Defender 365 Unified role-based access control (RBAC) model. For more information, see Microsoft Defender 365 Unified role-based access control (RBAC).

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Based on the roles and groups you create, you have fine-grained control over what users with access to the portal can see and do.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Large geo-distributed security operations teams typically adopt a tier-based model to assign and authorize access to security portals. Typical tiers include the following three levels:

Tier Description
Tier 1 Local security operations team / IT team
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
Tier 2 Regional security operations team
This team can see all the devices for their region and perform remediation actions.
Tier 3 Global security operations team
This team consists of security experts and are authorized to see and perform all actions from the portal.

Note

For Tier 0 assets, refer to Privileged Identity Management for security admins to provide more granular control of Microsoft Defender for Endpoint and Microsoft Defender XDR.

Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:

  • Control who can take specific action
    • Create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
  • Control who can see information on specific device group or groups
    • Create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Microsoft Entra user group.

      Note

      Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Microsoft Entra user groups assigned to the roles.

Before you begin

Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.

Warning

Before enabling the feature, it's important that you have an appropriate role, such as Security Administrator assigned in Microsoft Entra ID, and that you have your Microsoft Entra groups ready to reduce the risk of being locked out of the portal.

When you first sign in to the Microsoft Defender portal, you're granted either full access or read only access. Full access rights are granted to users with the Security Administrator role in Microsoft Entra ID. Read only access is granted to users with a Security Reader role in Microsoft Entra ID.

Someone with a Defender for Endpoint Global Administrator role has unrestricted access to all devices, regardless of their device group association and the Microsoft Entra user groups assignments.

Warning

Initially, only those with Microsoft Entra Global Administrator or Security Administrator rights can create and assign roles in the Microsoft Defender portal; therefore, having the right groups ready in Microsoft Entra ID is important.

Turning on role-based access control causes users with read-only permissions (for example, users assigned to Microsoft Entra Security reader role) to lose access until they are assigned to a role.

Users with administrator permissions are automatically assigned the default built-in Defender for Endpoint Global Administrator role with full permissions. After opting in to use RBAC, you can assign additional users who aren't Microsoft Entra Global Administrators or Security Administrators to the Defender for Endpoint Global Administrator role.

After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.