Create and manage roles for role-based access control

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Create roles and assign the role to an Azure Active Directory group

The following steps guide you on how to create roles in Microsoft 365 Defender. It assumes that you have already created Azure Active Directory user groups.

  1. Log in to Microsoft 365 Defender using account with a Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Roles (under Permissions).

  3. Select Add item.

  4. Enter the role name, description, and permissions you'd like to assign to the role.

  5. Select Next to assign the role to an Azure AD Security group.

  6. Use the filter to select the Azure AD group that you'd like to add to this role to.

  7. Save and close.

  8. Apply the configuration settings.

Important

After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.

Note

Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

Permission options

  • View data

    • Security operations - View all security operations data in the portal
    • Threat and vulnerability management - View Defender Vulnerability Management data in the portal
  • Active remediation actions

    • Security operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
    • Threat and vulnerability management - Exception handling - Create new exceptions and manage active exceptions
    • Threat and vulnerability management - Remediation handling - Submit new remediation requests, create tickets, and manage existing remediation activities
    • Threat and vulnerability management - Application handling - Apply immediate mitigation actions by blocking vulnerable applications, as part of the remediation activity and manage the blocked apps and perform unblock actions
  • Security baselines

    • Threat and vulnerability management – Manage security baselines assessment profiles - Create and manage profiles so you can assess if your devices comply to security industry baselines.

      Note

      For the Defender Vulnerability Management public preview trial this permission is not required. Users with "Threat and vulnerability management - View data" permissions can manage security baselines. However, when the trial ends and a license is purchased, this permission is required.

  • Alerts investigation - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files

  • Manage portal system settings - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups

    Note

    This setting is only available in the Microsoft Defender for Endpoint administrator (default) role.

  • Manage security settings in Security Center - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, manage email notifications, and manage evaluation lab

  • Live response capabilities

    • Basic commands:
      • Start a live-response session
      • Perform read-only live-response commands on remote device (excluding file copy and execution)
      • Download a file from the remote device via live response
    • Advanced commands:
      • Download PE and non-PE files from the file page
      • Upload a file to the remote device
      • View a script from the files library
      • Execute a script on the remote device from the files library

For more information on the available commands, see Investigate devices using Live response.

Edit roles

  1. Log in to Microsoft 365 Defender using account with Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Roles (under Permissions).

  3. Select the role you'd like to edit.

  4. Click Edit.

  5. Modify the details or the groups that are assigned to the role.

  6. Click Save and close.

Delete roles

  1. Log in to Microsoft 365 Defender using account with Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Roles (under Permissions).

  3. Select the role you'd like to delete.

  4. Click the drop-down button and select Delete role.