Azure user roles and permissions for Defender for IoT
Microsoft Defender for IoT uses Azure Role-Based Access Control (RBAC) to provide access to Defender for IoT monitoring services and data on the Azure portal.
The built-in Azure Security Reader, Security Admin, Contributor, and Owner roles are relevant for use in Defender for IoT.
This article provides a reference of Defender for IoT actions available for each role in the Azure portal. For more information, see Azure built-in roles.
Roles and permissions reference
Permissions are applied to user roles across an entire Azure subscription, or in some cases, across individual Defender for IoT sites. For more information, see Zero Trust and your OT networks and Manage site-based access control (Public preview).
| Action and scope | Security Reader | Security Admin | Contributor | Owner |
|---|---|---|---|---|
| Grant permissions to others Apply per subscription or site |
- | - | - | ✔ |
| Onboard OT or Enterprise IoT sensors Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Download OT sensor and on-premises management console software Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Download sensor endpoint details Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Download sensor activation files Apply per subscription only |
- | ✔ | ✔ | ✔ |
| View values on the Plans and pricing page Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Modify values on the Plans and pricing page Apply per subscription only |
- | ✔ | ✔ | ✔ |
| View values on the Sites and sensors page Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Modify values on the Sites and sensors page , including remote OT sensor updates Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Recover on-premises management console passwords Apply per subscription only |
- | ✔ | ✔ | ✔ |
| Download OT threat intelligence packages Apply per subscription only |
✔ | ✔ | ✔ | ✔ |
| Push OT threat intelligence updates Apply per subscription only |
- | ✔ | ✔ | ✔ |
| View Azure alerts Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Modify Azure alerts (write access - change status, learn, download PCAP, suppression rules) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Azure device inventory Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Manage Azure device inventory (write access) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Azure workbooks Apply per subscription or site |
✔ | ✔ | ✔ | ✔ |
| Manage Azure workbooks (write access) Apply per subscription or site |
- | ✔ | ✔ | ✔ |
| View Defender for IoT settings Apply per subscription |
✔ | ✔ | ✔ | ✔ |
| Configure Defender for IoT settings Apply per subscription |
- | ✔ | ✔ | ✔ |
For an overview on creating new Azure custom roles, see Azure custom roles. To set up a role, you need to add permissions from the actions listed in the Internet of Things security permissions table.
Next steps
For more information, see: