Microsoft Defender for Identity role groups

Microsoft Defender for Identity offers role-based security to safeguard data according to an organization's specific security and compliance needs. Defender for Identity support three separate roles: Administrators, Users, and Viewers.

Note

This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Role groups enable access management for Defender for Identity. Using role groups, you can segregate duties within your security team, and grant only the amount of access that users need to do their jobs. This article explains access management, Defender for Identity role authorization, and helps you get up and running with role groups in Defender for Identity.

Note

Any global administrator or security administrator on the tenant's Azure Active Directory is automatically a Defender for Identity administrator.

Required permissions for the Microsoft 365 Defender experience

To access the Defender for Identity experience in in Microsoft 365 Defender, you need the following permissions:

Actions in Microsoft 365 Defender Required permissions
Create MDI Workspace Member of one of the following Azure AD roles:
  • Global Administrator
  • Security Administrator
  • MDI Settings Member of one of the following Azure AD roles:
  • Global Administrator
  • Security Administrator
    Or
    Member of one of the following Azure AD groups (after the MDI Workspace is created):
  • Azure ATP {instance name} Administrator
  • Azure ATP {instance name} Users
  • MDI security alerts and activities Member of one of the Azure AD roles as required by Microsoft 365 Defender
    Or
    Member of one of the following Microsoft Defender for Cloud Apps internal roles:
  • Global admin
  • Security reader
  • Compliance admin
  • MDI security assessments
    (now part of Microsoft Secure Score)
    Permissions to access Microsoft Secure Score
    And
    Member of one of the following Azure AD groups (after the MDI Workspace is created):
  • Azure ATP {instance name} Administrator
  • Azure ATP {instance name} Users
  • Azure ATP {instance name} Viewers

    Note: Users who are members of the Azure AD Global Administrator or Security Administrator roles, do not need the above group membership as the required permissions are inherited from the Azure AD role.
  • Types of Defender for Identity security groups

    Defender for Identity provides three types of security groups: Azure ATP (instance name) Administrators, Azure ATP (instance name) Users, and Azure ATP (instance name) Viewers. The following table describes the type of access in Defender for Identity available for each role. Depending on which role you assign, various screens and options will be unavailable for those users, as follows:

    Activity Azure ATP (instance name) Administrators Azure ATP (instance name) Users Azure ATP (instance name) Viewers
    Change status of Health Alerts Available Not available Not available
    Change status of Security Alerts (reopen, close, exclude, suppress) Available Available Not available
    Delete instance Available Not available Not available
    Download a report Available Available Available
    Login Available Available Available
    Share/Export security alerts (via email, get link, download details) Available Available Available
    Update Defender for Identity Configuration - Updates Available Not available Not available
    Update Defender for Identity Configuration - Entity tags (sensitive and honeytoken) Available Available Not available
    Update Defender for Identity Configuration - Exclusions Available Available Not available
    Update Defender for Identity Configuration - Language Available Available Not available
    Update Defender for Identity Configuration - Notifications (email and syslog) Available Available Not available
    Update Defender for Identity Configuration - Preview detections Available Available Not available
    Update Defender for Identity Configuration - Scheduled reports Available Available Not available
    Update Defender for Identity Configuration - Data sources (directory services, SIEM, VPN, Defender for Endpoint) Available Not available Not available
    Update Defender for Identity Configuration - Sensors (download, regenerate key, configure, delete) Available Not available Not available
    View entity profiles and security alerts Available Available Available

    Add and remove users

    Defender for Identity uses Azure AD security groups as a basis for role groups. The role groups can be managed from the Groups management page. Only Azure AD users can be added or removed from security groups.

    Next steps