Map Microsoft 365 Defender role-based access control (RBAC) permissions

All permissions listed within the Microsoft 365 Defender RBAC model align to existing permissions in the individual RBAC models. Once you activate the Microsoft 365 Defender RBAC model the permissions and assignments configured in your imported roles will replace the existing roles in the individual RBAC models.

This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender for Office 365 (Exchange Online Protection), Microsoft Defender for Identity, and Azure Active Directory roles map to the roles and permission in the Microsoft 365 Defender RBAC model.

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Map Microsoft 365 Defender RBAC permissions to existing RBAC permissions

Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft 365 Defender RBAC roles:

  1. Map Defender for Endpoint permissions
  2. Map Defender for Office 365 (Exchange Online Protection) roles
  3. Map Microsoft Defender for Identity permissions
  4. Azure Active Directory Global roles access

Map Defender for Endpoint permissions to the Microsoft 365 Defender RBAC permissions

Defender for Endpoint permission Microsoft 365 Defender RBAC permission
View data - Security operations Security operations \ Security data \ Security data basics (read)
View data - Threat and vulnerability management Security posture \ Posture management \ Vulnerability management (read)
Alerts investigation Security operations \ Security data \ Alerts (manage)
Active remediation actions - Security operations Security operations \ Security data \ Response (manage)
Active remediation actions - Threat and vulnerability management - Exception handling Security posture \ Posture management \ Exception handling (manage)
Active remediation actions - Threat and vulnerability management - Remediation handling Security posture \ posture management \ Remediation handling (manage)
Active remediation actions - Threat and vulnerability management - Application handling Security posture \ Posture management \ Application handling (manage)
Vulnerability management – Manage security baselines assessment profiles Security posture \ posture management \ Security baselines assessment (manage)
Live response capabilities Security operations \ Basic live response (manage)
Live response capabilities - advanced Security operations \ Advanced live response (manage)
Manage security settings in the Security Center Configuration \ Security setting (All permissions)
Manage portal system settings Configuration \ System setting (All permissions)
Manage endpoint security settings in Microsoft Endpoint Manager Not supported - this permission is managed in the Microsoft Endpoint Management portal

Map Defender for Office 365 (Exchange Online Protection) roles to the Microsoft 365 Defender RBAC permissions

Defender for Office (EOP) role group Microsoft 365 Defender RBAC permission
Security reader Security operations \ Security data \Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Configuration \ Security setting (read)
Configuration \ System setting (read)
Global reader Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Configuration \ Security setting (read)
Configuration \ System setting (read)
Security administrator Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email quarantine (manage)
Configuration \ Authorization (read)
Configuration \ Security setting (All permissions)
Configuration \ System setting (All permissions)
Organization Management Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security operations \ Security data \ Response (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Security data \ Email quarantine (manage)
Configuration \ Authorization (All permissions)
Configuration \ Security setting (All permissions)
Configuration \ System setting (All permissions)
View-Only Recipients Security operations \ Security data \ Security data basics (read)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Preview Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read)
Search and Purge Security operations \ Security data \ Email advanced actions (manage)
View-Only Manage Alerts Security operations \ Security data \ Security data basics (read)
Manage Alerts Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
View-only Audit Logs Security operations \ Security data \ Security data basics (read)
Audit Logs Security operations \ Security data \ Security data basics (read)
Quarantine Security operations \ Security data \ Email quarantine (manage)
Role Management Configuration \ Authorization (All permissions)

Map Microsoft Defender for Identity permissions to the Microsoft 365 Defender RBAC permissions

Defender for Identity permission Unified RBAC permission
MDI admin Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Configuration \ Authorization (All permissions)
Configuration \ Security setting (All permissions)
Configuration \ System setting (All permissions)
MDI user Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Configuration \ Security setting (All permissions)
Configuration \ System setting (read)
MDI viewer Security operations \ Security data \ Security data basics (read)
Configuration \ Security setting (read)
Configuration \ System setting (read)

Note

Defender for Identity experiences will also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups.

Azure Active Directory Global roles access

Users assigned with Azure Active Directory global roles may also have access to the Microsoft 365 Defender portal.

Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender for Office and Defender for Identity) in Microsoft 365 Defender RBAC to each global Azure Active Directory role.

AAD role Microsoft 365 Defender RBAC assigned permissions for all workloads Microsoft 365 Defender RBAC assigned permissions – workload specific
Global administrator Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Security data \ Response (manage)
Configuration \ Authorization \ (All permissions)
Configuration \ Security settings \ (All permissions)
Configuration \ System settings \ (All permissions)
Defender for Endpoint only permissions
Security operations \ Basic live response (manage)
Security operations \ Advanced live response (manage)
Security posture \ Posture management \ Vulnerability management (read)
Security posture \ Posture management \ Exception handling (manage)
Security posture \ Posture management \ Remediation handling (manage)
Security posture \ Posture management \ Application handling (manage)
Security posture \ Posture management \ Security baseline assessment (manage)

Defender for Office only permissions
Security operations \ Security data \ Email quarantine (manage)
Security operations \ Security data \ Email advanced actions (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Security administrator Same as Global administrator Same as Global administrator
Global reader Security operations \ Security data \ Security data basics (read) Defender for Endpoint only permissions
Security posture \ Posture management \ Vulnerability management (read)

Defender for Office only permissions
Security operations \ Security data \ Response (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Configuration \ Authorization \ (read)

Defender for Office and Defender for Identity only permissions
Configuration \ Security settings \ (read)
Configuration \ System settings \ (read)
Security reader Security operations \ Security data \ Security data basics (read) Defender for Endpoint only permissions
Security posture \ Posture management \ Vulnerability management (read)

Defender for Office only permissions
Security operations \ Security data \ Response (manage)
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)

Defender for Office and Defender for Identity only permissions
Configuration \ Security settings \ (read)
Configuration \ System settings \ (read)
Security operator Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Security operations \ Security data \ Response (manage)
Configuration \ Security settings \ (All permissions)
Defender for Endpoint only permissions
Security operations \ Security data \ Basic live response (manage)
Security operations \ Security data \ Advanced live response (manage)
Security posture \ Posture management \ Vulnerability management (read)
Security posture \ Posture management \ Exception handling (manage)
Security posture \ Posture management \ Remediation handling (manage)

Defender for Office only permissions
Security operations \ Raw data (Email & collaboration) \ Email message headers (read)
Configuration \ System settings \ (All permissions)

Defender for Identity only permissions
Configuration \ System settings \ (read)
Compliance administrator not applicable Defender for Office only permissions
Security operations \ Security data \ Security data basics (read)
Security operations \ Security data \ Alerts (manage)
Compliance data administrator not applicable Same as Compliance administrator
Billing admin not applicable not applicable

Note

By activating the Microsoft 365 Defender RBAC model, users with Security reader and Global reader roles will have access to Defender for Endpoint data.

Next steps