Edit

Custom roles in role-based access control for Microsoft 365 Defender

  • Article

Note

If you are running the Microsoft 365 Defender preview program you can now experience the new Microsoft Defender 365 role-based access control (RBAC) model. For more information, see Microsoft Defender 365 role-based access control (RBAC).

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Applies to:

  • Microsoft 365 Defender

Note

Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

There are two types of roles that can be used to access to Microsoft 365 Defender:

  • Global Azure Active Directory (AD) roles
  • Custom roles

Access to Microsoft 365 Defender can be managed collectively by using Global roles in Azure Active Directory (AAD)

If you need greater flexibility and control over access to specific product data, Microsoft 365 Defender access can also be managed with the creation of Custom roles through each respective security portal.

For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft 365 Defender portal. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft 365 Defender portal.

Users with existing Custom roles may access data in the Microsoft 365 Defender portal according to their existing workload permissions with no additional configuration required.

Create and manage custom roles

Custom roles and permissions can be created and individually managed through each of the following security portals:

Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.

Tip

Permissions and roles can also be accessed through the Microsoft 365 Defender portal by selecting Permissions & roles from the navigation pane. Access to Microsoft Defender for Cloud Apps is managed through the Defender for Cloud Apps portal and controls access to Microsoft Defender for Identity as well. See Microsoft Defender for Cloud Apps

Note

Custom roles created in Microsoft Defender for Cloud Apps have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Defender for Cloud Apps roles are not able to access Microsoft Defender for Cloud Apps data through the Microsoft 365 Defender portal.

Manage permissions and roles in the Microsoft 365 Defender portal

Permissions and roles can also be managed in the Microsoft 365 Defender portal:

  1. Sign in to the Microsoft 365 Defender portal at security.microsoft.com.
  2. In the navigation pane, select Permissions & roles.
  3. Under the Permissions header, select Roles.

Note

This only applies to Defender for Office 365 and Defender for Endpoint. Access for other workloads must be done in their relevant portals.

Required roles and permissions

The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table below refer to custom roles in individual portals and are not connected to global roles in Azure AD, even if similarly named.

Note

Incident management requires management permissions for all products that are part of the incident.

Microsoft 365 Defender workload One of the following roles is required for Defender for Endpoint One of the following roles is required for Defender for Office 365 One of the following roles is required for Defender for Cloud Apps
Viewing investigation data:
  • Alert page
  • Alerts queue
  • Incidents
  • Incident queue
  • Action center
 View data- security operations
  • View-only Manage alerts
  • Organization configuration
  • Audit logs
  • View-only audit logs
  • Security reader
  • Security admin
  • View-only recipients
  • Global admin
  • Security admin
  • Compliance admin
  • Security operator
  • Security reader
  • Global reader
Viewing hunting data, saving, editing, and deleting hunting queries and functions View data- security operations
  • Security reader
  • Security admin
  • View-only recipients
  • Global admin
  • Security admin
  • Compliance admin
  • Security operator
  • Security reader
  • Global reader
Managing alerts and incidents Alerts investigation
  • Manage alerts
  • Security admin
  • Global admin
  • Security admin
  • Compliance admin
  • Security operator
  • Security reader
Action center remediation Active remediation actions – security operations Search and purge
Setting custom detections Manage security settings
  • Manage alerts
  • Security admin
  • Global admin
  • Security admin
  • Compliance admin
  • Security operator
  • Security reader
  • Global reader
Threat Analytics Alerts and incidents data:
  • View data- security operations
Defender Vulnerability Management mitigations:
  • View data - Threat and vulnerability management
 Alerts and incidents data:
  • View-only Manage alerts
  • Manage alerts
  • Organization configuration
  • Audit logs
  • View-only audit logs
  • Security reader
  • Security admin
  • View-only recipients
Prevented email attempts:
  • Security reader
  • Security admin
  • View-only recipients
 Not available for Defender for Cloud Apps or MDI users

For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.

Similarly, to view hunting data from Microsoft Defender for Office 365, users would require one of the following roles:

  • View data security operations
  • Security reader
  • Security admin
  • View-only recipients

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft 365 Defender Tech Community.