Permissions in Microsoft Defender XDR Unified role-based access control (RBAC)
In Microsoft Defender XDR Unified role-based access control (RBAC) you can select permissions from each permission group to customize a role.
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 P2
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft Defender XDR Unified RBAC permission details
The following table lists the permissions available to configure for your users based on the tasks they need to do:
Unless otherwise stated, all permissions are applicable to all supported workloads and will be applied to the data scope selected during the data source and assignment stage.
Security operations – Security data
Permissions for managing day-to-day operations and responding to incidents and advisories.
|Security data basic||Read||View info about incidents, alerts, investigations, advanced hunting, devices, submissions, evaluation lab, and reports.|
|Alerts||Manage||Manage alerts, start automated investigations, run scans, collect investigation packages, and manage device tags.|
|Response||Manage||Take response actions on a device, approve or dismiss pending remediation actions, and manage blocked and allowed lists for automation.|
|Basic live response||Manage||Initiate a live response session, download files, and perform read-only actions on devices remotely.|
|Advanced live response||Manage||Create live response sessions and perform advanced actions, including uploading files and running scripts on devices remotely.|
|File collection||Manage||Collect or download relevant files for analysis, including executable files.|
|Email quarantine||Manage||View and release email from quarantine.|
|Email advanced actions||Manage||Move or Delete email to the junk email folder, deleted items or inbox, including soft and hard delete of email.|
Security operations – Raw data (Email & collaboration)
|Email message headers||Read||View email and collaboration data in a hunting scenarios, including advanced hunting, threat explorer, campaigns, and email entity.|
|Email content||Read||View and download email content and attachments.|
Security posture – Posture management
Permissions for managing the organization's security posture and performing vulnerability management.
|Vulnerability management||Read||View Defender Vulnerability Management data for the following: software and software inventory, weaknesses, missing KBs, advanced hunting, security baselines assessment, and devices.|
|Exception handling||Manage||Create security recommendation exceptions and manage active exceptions in Defender Vulnerability Management.|
|Remediation handling||Manage||Create remediation tickets, submit new requests, and manage remediation activities in Defender Vulnerability Management.|
|Application handling||Manage||Manage vulnerable applications and software, including blocking and unblocking them in Defender Vulnerability Management.|
|Security baseline assessment||Manage||Create and manage profiles so you can assess if your devices comply to security industry baselines.|
|Secure Score||Read / Manage||Manage permissions to Secure Score data including which users have access to the data and the products for which they will see Secure Score data.|
Authorization and settings
Permissions to manages the security and system settings and to create and assign roles.
|Authorization||Read / Manage||View or manage device groups, and custom and built-in roles.|
|Core security settings||Read / Manage||View or manage core security settings for the Microsoft Defender portal.|
|Detection tuning||Manage||Manage tasks related to detections in the Microsoft Defender portal including Custom detections, Alerts Tuning and Threat Indicators of compromise.|
|System settings||Read / Manage||View or manage general systems settings for the Microsoft Defender portal.|
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.