Assign security roles and permissions in Microsoft Defender for Business

This article describes how to assign security roles and permissions in Defender for Business.

Visual depicting step 3 - assign security roles and permissions in Defender for Business.

Your organization's security team needs certain permissions to perform tasks, such as

  • Configuring Defender for Business
  • Onboarding (or removing) devices
  • Viewing reports about devices and threat detections
  • Viewing incidents and alerts
  • Taking response actions on detected threats

Permissions are granted through certain roles in the Microsoft Entra ID. These roles can be assigned in the Microsoft 365 admin center or in the Microsoft Entra admin center.

What to do

  1. Learn about roles in Defender for Business.
  2. View or edit role assignments for your security team.
  3. Proceed to your next steps.

Roles in Defender for Business

The following table describes the three roles that can be assigned in Defender for Business. Learn more about admin roles.

Permission level Description
Global administrators (also referred to as global admins)

As a best practice, limit the number of global admins. See Security guidelines for assigning roles.
Global admins can perform all kinds of tasks. The person who signed up your company for Microsoft 365 or for Defender for Business is a global administrator by default. Global admins typically complete the setup and configuration process in Defender for Business, including onboarding devices.

Global admins are able to modify settings across all Microsoft 365 portals, such as:
- The Microsoft 365 admin center (
- Microsoft Defender portal (
Security administrators (also referred to as security admins) Security admins can perform the following tasks:
- View and manage security policies
- View, respond to, and manage alerts
- Take response actions on devices with detected threats
- View security information and reports

In general, security admins use the Microsoft Defender portal ( to perform security tasks.
Security reader Security readers can perform the following tasks:
- View a list of onboarded devices
- View security policies
- View alerts and detected threats
- View security information and reports

Security readers can't add or edit security policies, nor can they onboard devices.

View and edit role assignments


Microsoft recommends that you grant people access to only what they need to perform their tasks. We call this concept least privilege for permissions. To learn more, see Best practices for least-privileged access for applications.

You can use the Microsoft 365 admin center or the Microsoft Entra admin center to view and edit role assignments.

  1. Go to the Microsoft 365 admin center ( and sign in.

  2. In the navigation pane, go to Users > Active users.

  3. Select a user account to open their flyout pane.

  4. On the Account tab, under Roles, select Manage roles.

  5. To add or remove a role, use one of the following procedures:

    Task Procedure
    Add a role to a user account 1. Select Admin center access, scroll down, and then expand Show all by category.

    2. Select one of the following roles:

    - Global Administrator (listed under Global)
    - Security Administrator (listed under Security & Compliance)
    - Security Reader (listed under Read-only)

    3. Select Save changes.
    Remove a role from a user account 1. Either select User (no admin center access) to remove all admin roles, or clear the checkbox next to one or more of the assigned roles.

    2. Select Save changes.

Next steps