Microsoft Defender for Identity role groups

Microsoft Defender for Identity offers role-based security to safeguard data according to an organization's specific security and compliance needs. Defender for Identity support three separate roles: Administrators, Users, and Viewers.

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Role groups enable access management for Defender for Identity. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to do their jobs. This article explains access management, Defender for Identity role authorization, and helps you get up and running with role groups in Defender for Identity.

Note

Any global administrator or security administrator on the tenant's Azure Active Directory is automatically a Defender for Identity administrator.

Unified role-based access control (RBAC)

You can now enable more granular role-based access control from the Microsoft 365 portal instead of using Defender for Identity's Azure AD groups. For more information, see Custom roles in role-based access control for Microsoft 365 Defender.

Note

Once enabled, you can migrate existing Defender for Identity roles to the new format. However, if you change or add new roles, they must match these permissions to the role table to access the classic Defender for Identity experience.

Select permissions from each permission group.

Equivalent Defender for Identity role Minimum required Microsoft 365 unified RBAC permissions
MDI Admin Authorization and settings/Security settings/Read
Authorization and settings/Security settings/All permissions
Authorization and settings/System settings/Read
Authorization and settings/System settings/All permissions
Security operations/Security data/Alerts (manage)
Security operations/Security data /Security data basics (Read)
Authorization and settings/Authorization/All permissions
Authorization and settings/Authorization/Read
MDI User Security operations/Security data /Security data basics (Read)
Authorization and settings/System settings/Read
Authorization and settings/Security settings/Read
Security operations/Security data/Alerts (manage)
microsoft.xdr/configuration/security/manage
MDI Viewer Security operations/Security data /Security data basics (Read)
Authorization and settings/System settings/Read
Authorization and settings/Security settings/Read

Note

Information included from the Defender for Cloud Apps activity log may still contain Defender for Identity data which adheres to existing Defender for Cloud Apps permissions.

Required permissions for the Microsoft 365 Defender experience

To access the Defender for Identity experience in in Microsoft 365 Defender, you need the following permissions:

Actions in Microsoft 365 Defender Required permissions
Create MDI Workspace Member of one of the following Azure AD roles:
  • Global Administrator
  • Security Administrator
  • MDI Settings Member of one of the following Azure AD roles:
  • Global Administrator
  • Security Administrator
    Or
    Unified RBAC permissions:
  • Authorization and settings/Security settings/Read
  • Authorization and settings/Security settings/All permissions
  • Authorization and settings/System settings/Read
  • Authorization and settings/System settings/All permissions
  • MDI security alerts and activities Member of one of the Azure AD roles as required by Microsoft 365 Defender
    Or
    Unified RBAC permissions:
  • Security operations/Security data/Alerts (Manage)
  • Security operations/Security data /Security data basics (Read)
  • MDI security assessments
    (now part of Microsoft Secure Score)
    Permissions to access Microsoft Secure Score
    And
    Unified RBAC permissions:
  • Security operations/Security data /Security data basics (Read)
  • Assets / Identities page Permissions to access Defender for Cloud Apps
    or
    Member of one of the Azure AD roles as required by Microsoft 365 Defender

    Types of Defender for Identity security groups

    Defender for Identity provides three types of security groups: Azure ATP (Workspace name) Administrators, Azure ATP (Workspace name) Users, and Azure ATP (Workspace name) Viewers. The following table describes the type of access in Defender for Identity available for each role. Depending on which role you assign, various screens and options will be unavailable for those users, as follows:

    Activity Azure ATP (Workspace name) Administrators Azure ATP (Workspace name) Users Azure ATP (Workspace name) Viewers
    Change status of Health Alerts Available Not available Not available
    Change status of Security Alerts (reopen, close, exclude, suppress) Available Available Not available
    Delete Workspace Available Not available Not available
    Download a report Available Available Available
    Login Available Available Available
    Share/Export security alerts (via email, get link, download details) Available Available Available
    Update Defender for Identity Configuration - Updates Available Not available Not available
    Update Defender for Identity Configuration - Entity tags (sensitive and honeytoken) Available Available Not available
    Update Defender for Identity Configuration - Exclusions Available Available Not available
    Update Defender for Identity Configuration - Language Available Available Not available
    Update Defender for Identity Configuration - Notifications (email and syslog) Available Available Not available
    Update Defender for Identity Configuration - Preview detections Available Available Not available
    Update Defender for Identity Configuration - Scheduled reports Available Available Not available
    Update Defender for Identity Configuration - Data sources (directory services, SIEM, VPN, Defender for Endpoint) Available Not available Not available
    Update Defender for Identity Configuration - Sensors (download, regenerate key, configure, delete) Available Not available Not available
    View entity profiles and security alerts Available Available Available

    Add and remove users

    Defender for Identity uses Azure AD security groups as a basis for role groups. The role groups can be managed from the Groups management page. Only Azure AD users can be added or removed from security groups.

    See also