Create and manage roles for role-based access control

  • 5 minutes

The following steps guide you on how to create roles in the Microsoft Defender portal. It assumes that you have already created Microsoft Entra user groups.

  1. Access the Microsoft Defender portal using an account with a Security administrator or Global administrator role assigned.
  2. In the navigation pane, select Settings then select Endpoints. Under the Permissions category, select Roles.
  3. Select the Turn on roles button.
  4. Select + Add item.
  5. Enter the role name, description, and permissions you'd like to assign to the role.
  6. Select Next to assign the role to a Microsoft Entra Security group.
  7. Use the filter to select the Microsoft Entra group that you would like to add this role to.
  8. Select Save.

Important

After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.

Permission options

The permission options:

  • View data

    • Security operations - View all security operations data in the portal

    • Threat and vulnerability management - View threat and vulnerability management data in the portal

  • Active remediation actions

    • Security operations - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators

    • Threat and vulnerability management - Exception handling - Create new exceptions and manage active exceptions

    • Threat and vulnerability management - Remediation handling - Submit new remediation requests, create tickets, and manage existing remediation activities

    • Threat and vulnerability management - Application handling - Apply immediate mitigation actions by blocking vulnerable applications, and manage the blocked apps by unblocking if approved

  • Threat and vulnerability management – Manage security baselines assessment profiles - Create and manage profiles to assess if your devices comply with security industry baselines

  • Alerts investigation - Manage alerts, start automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files

  • Manage security settings in Security Center - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab

  • Manage endpoint security settings in Microsoft Endpoint Manager - Full access to the "Endpoint Security" area in Microsoft Endpoint Manager, Intune "Endpoint Security Manager" role permissions, configure endpoint security and compliance features including Microsoft Defender for Endpoint onboarding, and the ability to view the "Configuration Management" page in Security Center

  • Live response capabilities

    • Basic commands:

      • Start a live response session

      • Perform read-only live response commands on remote device (excluding file copy and execution)

    • Advanced commands:

      • Download a file from the remote device via live response

      • Download PE and non-PE files from the file page

      • Upload a file to the remote device

      • View a script from the files library

      • Execute a script on the remote device from the files library