Activate Microsoft 365 Defender role-based access control (RBAC)

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft 365 Defender
• Microsoft Defender for Identity
• Microsoft Defender for Office 365 P2

Important

Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

For the Microsoft 365 Defender security portal to start enforcing the permissions and assignments configured in your new custom roles or imported roles you must activate the Microsoft 365 Defender RBAC model for some or all of your workloads.

Activate Microsoft 365 Defender RBAC

The following steps guide you on how to activate the Microsoft 365 Defender RBAC model. You can activate your workloads in the following ways:

1. Activate in the permissions and roles page
2. Activate in Microsoft 365 Defender settings

Important

You must be a Global Administrator or Security Administrator in Azure Active Directory to perform this task. For more information on permissions, see Permission pre-requisites.

Activate from the Permissions and roles page

Sign in to the Microsoft 365 Defender portal. In the navigation pane, select Permissions and select Roles under Microsoft 365 Defender to get to the Permissions and roles page.

You can activate your workloads in two ways from the Permissions and roles page:

1. Activate workloads

   • Select Activate workloads on the banner above the list of roles.
   • This will bring you directly to the Activate workloads screen.
   • You must activate each workload one by one. Once you select the individual toggle, you'll activate (or deactivate) that workload.

   

   Note

   The Activate workloads button is only available when there are existing roles in the roles list.

2. Workload settings

   • Select Workload settings.
   • This brings you to the Microsoft 365 Defender Permission and roles page.
   • Select the toggle for the workload you want to activate.
   • Select Activate on the confirmation message.

You have now successfully activated (or deactivated) that workload.

Activate in Microsoft 365 Defender settings

Follow these steps to activate your workloads directly in Microsoft 365 Defender settings:

1. Sign in to the Microsoft 365 Defender portal.
2. In the navigation pane, select Settings.
3. Select Microsoft 365 Defender.
4. Select Permissions and roles. This brings you to the Activate workloads page.
5. Select the toggle for the workload you want to activate.
6. Select Activate on the confirmation message.

You have now successfully activated (or deactivated) that workload.

Note

The Microsoft 365 Defender RBAC model only impacts the Microsoft 365 Defender security portal. It does not impact the Microsoft Purview Compliance center or the Exchange Admin Center.

Deactivate Microsoft 365 Defender RBAC

You can deactivate Microsoft 365 Defender RBAC and revert to the individual RBAC models from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Office 365 (Exchange Online Protection).

To Deactivate the workloads, repeat the steps above and select the workloads you want to deactivate. The status will be set to Not Active.

If you deactivate a workload, the roles created and edited within Microsoft 365 Defender RBAC won't be effective and you'll return to using the previous permissions model. This will remove any access that users assigned these roles have.

Next steps

• Edit or delete roles