Map Microsoft Defender XDR Unified role-based access control (RBAC) permissions
All permissions listed within the Microsoft Defender XDR Unified RBAC model align to existing permissions in the individual RBAC models. Once you activate the Microsoft Defender XDR Unified RBAC model the permissions and assignments configured in your imported roles replace the existing roles in the individual RBAC models.
This article describes how existing roles and permissions in Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Entra roles map to the roles and permission in the Microsoft Defender XDR Unified RBAC model.
Applies to:
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
- Microsoft Defender for Identity
- Microsoft Defender for Office 365 Plan 2
- Microsoft Defender Vulnerability Management
- Microsoft Defender for Cloud
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Map Microsoft Defender XDR Unified RBAC permissions to existing RBAC permissions
Use the tables in the following sections to learn more about how your existing individual RBAC role definitions map to your new Microsoft Defender XDR Unified RBAC roles:
- Map Defender for Endpoint and Defender Vulnerability Management permissions
- Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions
- Map Microsoft Defender for Identity permissions
- Microsoft Entra Global roles access
Map Defender for Endpoint and Defender Vulnerability Management permissions to the Microsoft Defender XDR RBAC permissions
Defender for Endpoint and Defender Vulnerability Management permissions | Microsoft Defender XDR Unified RBAC permission |
---|---|
View data - Security operations | Security operations \ Security data \ Security data basics (read) |
View data - Defender Vulnerability Management | Security posture \ Posture management \ Vulnerability management (read) |
Alerts investigation | Security operations \ Security data \ Alerts (manage) |
Active remediation actions - Security operations | Security operations \ Security data \ Response (manage) |
Active remediation actions - Defender Vulnerability Management - Exception handling | Security posture \ Posture management \ Exception handling (manage) |
Active remediation actions - Defender Vulnerability Management - Remediation handling | Security posture \ posture management \ Remediation handling (manage) |
Active remediation actions - Defender Vulnerability Management - Application handling | Security posture \ Posture management \ Application handling (manage) |
Defender Vulnerability management – Manage security baselines assessment profiles | Security posture \ posture management \ Security baselines assessment (manage) |
Live response capabilities | Security operations \ Basic live response (manage) |
Live response capabilities - advanced | Security operations \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) |
Manage security settings in the Security Center | Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings\Security settings \ Detection tuning (manage) |
Manage portal system settings | Authorization and settings \ System setting (Read and manage) |
Manage endpoint security settings in Microsoft Intune | Not supported - this permission is managed in the Microsoft Intune admin center |
Map Defender for Office 365 permissions to the Microsoft Defender XDR Unified RBAC permissions
Use the following tables to learn how your existing Email & collaboration and protection-related Exchange Online permissions for Defender for Office 365 map to the new Microsoft Defender XDR Unified RBAC permissions:
Email & collaboration permissions mapping
You configured Email & collaboration permissions in the Defender portal at https://security.microsoft.com/emailandcollabpermissions.
Email & collaboration permission | Type | Microsoft Defender XDR Unified RBAC permission |
---|---|---|
Global Reader | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
Organization Management | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email advanced actions (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
Security Administrator | Role group | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (read) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
Security Reader | Role group | Security operations \ Security data \Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
Audit Logs | Role | Security operations \ Security data \ Security data basics (read) |
Manage Alerts | Role | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) |
Preview | Role | Security operations\ Security operations \ Raw data (Email & collaboration) \ Email & collaboration content (read) |
Quarantine | Role | Security operations \ Security data \ Email quarantine (manage) |
Role Management | Role | Authorization and settings \ Authorization (Read and manage) |
Search and Purge | Role | Security operations \ Security data \ Email advanced actions (manage) |
View-Only Manage Alerts | Role | Security operations \ Security data \ Security data basics (read) |
View-Only Recipients | Role | Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) |
View-only Audit Logs | Role | Security operations \ Security data \ Security data basics (read) |
Exchange Online permissions mapping
You configured protection-related Exchange Online permissions in the Exchange admin center (EAC) at https://admin.exchange.microsoft.com/#/adminRoles.
Exchange Online permission | Type | Microsoft Defender XDR Unified RBAC permission |
---|---|---|
Hygiene Management | Role group | Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings \ Security settings \ Detection tuning (manage) |
Organization Management | Role group | Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ Security settings \ Core security settings (manage) Authorization and settings \ Security settings \ Detection tuning (manage) Authorization and settings \ System settings (Read and manage) |
Security Administrator | Role group | Authorization and settings \ Security settings \ Detection tuning (manage) Authorization and settings \ System settings (Read and manage) |
View-Only Organization Management | Role group | Authorization and settings \ Security settings (Read-only) Authorization and settings \ System settings (Read-only) |
Tenant AllowBlockList Manager | Role | Authorization and settings \ Security settings \ Detection tuning (manage) |
View-only Recipients | Role | Security operations \ Raw data (email & collaboration) \ Email & collaboration metadata (read) |
Map Microsoft Defender for Identity permissions to the Microsoft Defender XDR Unified RBAC permissions
Defender for Identity permission | Defender XDR Unified RBAC permission |
---|---|
MDI admin | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System settings (Read and manage) |
MDI user | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System setting (read) |
MDI viewer | Security operations \ Security data \ Security data basics (read) Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System setting (read) |
Note
Defender for Identity experiences will also adhere to permissions granted from Microsoft Defender for Cloud Apps. For more information, see Microsoft Defender for Identity role groups. Exception: If you have configured Scoped deployment for Microsoft Defender for Identity alerts in the Microsoft Defender for Cloud Apps portal, these permissions do not carry over. You need to explicitly grant the Security operations \ Security data \ Security data basics (read) permissions for the relevant portal users.
Microsoft Entra Global roles access
Users assigned with Microsoft Entra global roles may also have access to the Microsoft Defender portal.
Use this table to learn about the permissions assigned by default for each workload (Defender for Endpoint, Defender Vulnerability Management, Defender for Office and Defender for Identity) in Microsoft Defender XDR Unified RBAC to each global Microsoft Entra role.
Microsoft Entra role | Microsoft Defender XDR Unified RBAC assigned permissions for all workloads | Microsoft Defender XDR Unified RBAC assigned permissions – workload specific |
---|---|---|
Global administrator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Security data \ Response (manage) Security posture \ Posture management \ Secure Score (read) Security posture \ Posture management \ Secure Score (manage) Authorization and settings \ Authorization (Read and manage) Authorization and settings \ Security settings (All permissions) Authorization and settings \ System settings (Read and manage) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security operations \ Basic live response (manage) Security operations \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) Security posture \ Posture management \ Vulnerability management (read) Security posture \ Posture management \ Exception handling (manage) Security posture \ Posture management \ Remediation handling (manage) Security posture \ Posture management \ Application handling (manage) Security posture \ Posture management \ Security baseline assessment (manage) Defender for Office only permissions Security operations \ Security data \ Email quarantine (manage) Security operations \ Security data \ Email advanced actions (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) |
Security administrator | Same as Global administrator | Same as Global administrator |
Global reader | Security operations \ Security data \ Security data basics (read) Security posture \ Posture management \ Secure Score (read) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security posture \ Posture management \ Vulnerability management (read) Defender for Office only permissions Security operations \ Security data \ Response (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ Authorization (read) Defender for Office and Defender for Identity only permissions Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System settings (read) |
Security reader | Security operations \ Security data \ Security data basics (read) Security posture \ Posture management \ Secure Score (read) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security posture \ Posture management \ Vulnerability management (read) Defender for Office only permissions Security operations \ Security data \ Response (manage) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Defender for Office and Defender for Identity only permissions Authorization and settings \ Security settings \ Core security settings (read) Authorization and settings \ System settings (read) |
Security operator | Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Security data \ Response (manage) Security posture \ Posture management \ Secure Score (read) Authorization and settings \ Security settings (All permissions) |
Defender for Endpoint and Defender Vulnerability Management permissions only permissions Security operations \ Security data \ Basic live response (manage) Security operations \ Security data \ Advanced live response (manage) Security operations \ Security data \ File collection (manage) Security posture \ Posture management \ Vulnerability management (read) Security posture \ Posture management \ Exception handling (manage) Security posture \ Posture management \ Remediation handling (manage) Defender for Office only permissions Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ System settings (Read and manage) Defender for Identity only permissions Authorization and settings \ System settings (read) |
Exchange Administrator | Security posture \ Posture management \ Secure Score (read) Security posture \ Posture management \ Secure Score (manage) |
Defender for Office only permissions Security operations \ Security data \ Security data basic (read) Security operations \ Raw data (Email & collaboration) \ Email & collaboration metadata (read) Authorization and settings \ System settings (Read and manage) |
SharePoint Administrator | Security posture \ Posture management \ Secure Score (read) Security posture \ Posture management \ Secure Score (manage) |
not applicable |
Service Support Administrator | Security posture \ Posture management \ Secure Score (read) | not applicable |
User Administrator | Security posture \ Posture management \ Secure Score (read) | not applicable |
HelpDesk Administrator | Security posture \ Posture management \ Secure Score (read) | not applicable |
Compliance administrator | not applicable | Defender for Office only permissions Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) |
Compliance data administrator | not applicable | Same as Compliance administrator |
Billing admin | not applicable | not applicable |
Note
By activating the Microsoft Defender XDR Unified RBAC model, users with Security Reader and Global Reader roles can access Defender for Endpoint data.
Next steps
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.