Microsoft Defender for Identity role groups
Microsoft Defender for Identity offers role-based security to safeguard data according to an organization's specific security and compliance needs. Defender for Identity support three separate roles: Administrators, Users, and Viewers.
Note
This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.
Role groups enable access management for Defender for Identity. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to do their jobs. This article explains access management, Defender for Identity role authorization, and helps you get up and running with role groups in Defender for Identity.
Note
Any global administrator or security administrator on the tenant's Azure Active Directory is automatically a Defender for Identity administrator.
Unified role-based access control (RBAC)
You can now enable more granular role-based access control from the Microsoft 365 portal instead of using Defender for Identity's Azure AD groups. For more information, see Custom roles in role-based access control for Microsoft 365 Defender.
Note
Once enabled, you can migrate existing Defender for Identity roles to the new format. However, if you change or add new roles, they must match these permissions to the role table to access the classic Defender for Identity experience.
Equivalent Defender for Identity role | Minimum required Microsoft 365 unified RBAC permissions |
---|---|
MDI Admin | Authorization and settings/Security settings/Read Authorization and settings/Security settings/All permissions Authorization and settings/System settings/Read Authorization and settings/System settings/All permissions Security operations/Security data/Alerts (manage) Security operations/Security data /Security data basics (Read) Authorization and settings/Authorization/All permissions Authorization and settings/Authorization/Read |
MDI User | Security operations/Security data /Security data basics (Read) Authorization and settings/System settings/Read Authorization and settings/Security settings/Read Security operations/Security data/Alerts (manage) microsoft.xdr/configuration/security/manage |
MDI Viewer | Security operations/Security data /Security data basics (Read) Authorization and settings/System settings/Read Authorization and settings/Security settings/Read |
Note
Information included from the Defender for Cloud Apps activity log may still contain Defender for Identity data which adheres to existing Defender for Cloud Apps permissions.
Required permissions for the Microsoft 365 Defender experience
To access the Defender for Identity experience in in Microsoft 365 Defender, you need the following permissions:
Actions in Microsoft 365 Defender | Required permissions |
---|---|
Create MDI Workspace | Member of one of the following Azure AD roles: |
MDI Settings | Member of one of the following Azure AD roles: Or Unified RBAC permissions: |
MDI security alerts and activities | Member of one of the Azure AD roles as required by Microsoft 365 Defender Or Unified RBAC permissions: |
MDI security assessments (now part of Microsoft Secure Score) |
Permissions to access Microsoft Secure Score And Unified RBAC permissions: |
Assets / Identities page | Permissions to access Defender for Cloud Apps or Member of one of the Azure AD roles as required by Microsoft 365 Defender |
Types of Defender for Identity security groups
Defender for Identity provides three types of security groups: Azure ATP (Workspace name) Administrators, Azure ATP (Workspace name) Users, and Azure ATP (Workspace name) Viewers. The following table describes the type of access in Defender for Identity available for each role. Depending on which role you assign, various screens and options will be unavailable for those users, as follows:
Activity | Azure ATP (Workspace name) Administrators | Azure ATP (Workspace name) Users | Azure ATP (Workspace name) Viewers |
---|---|---|---|
Change status of Health Alerts | Available | Not available | Not available |
Change status of Security Alerts (reopen, close, exclude, suppress) | Available | Available | Not available |
Delete Workspace | Available | Not available | Not available |
Download a report | Available | Available | Available |
Login | Available | Available | Available |
Share/Export security alerts (via email, get link, download details) | Available | Available | Available |
Update Defender for Identity Configuration - Updates | Available | Not available | Not available |
Update Defender for Identity Configuration - Entity tags (sensitive and honeytoken) | Available | Available | Not available |
Update Defender for Identity Configuration - Exclusions | Available | Available | Not available |
Update Defender for Identity Configuration - Language | Available | Available | Not available |
Update Defender for Identity Configuration - Notifications (email and syslog) | Available | Available | Not available |
Update Defender for Identity Configuration - Preview detections | Available | Available | Not available |
Update Defender for Identity Configuration - Scheduled reports | Available | Available | Not available |
Update Defender for Identity Configuration - Data sources (directory services, SIEM, VPN, Defender for Endpoint) | Available | Not available | Not available |
Update Defender for Identity Configuration - Sensors (download, regenerate key, configure, delete) | Available | Not available | Not available |
View entity profiles and security alerts | Available | Available | Available |
Add and remove users
Defender for Identity uses Azure AD security groups as a basis for role groups. The role groups can be managed from the Groups management page. Only Azure AD users can be added or removed from security groups.
See also
Feedback
Submit and view feedback for