Blog Post

Microsoft Defender for Endpoint Blog
6 MIN READ

Is your SOC running flat with limited RBAC?

Evald Markinzon's avatar
Evald Markinzon
Icon for Microsoft rankMicrosoft
Jan 17, 2019
Let’s take a moment to think about how security operation centers (SOC) actually work.   Can security operations in an enterprise run as a single, flat team? Is it sensible for all SOC analysts t...
Published Jan 17, 2019
Version 1.0
Peter Selch Dahl's avatar
Peter Selch Dahl
MCT
Feb 14, 2019
Great article! Will this also work with Azure B2B? Our Tier one personal is a partner? Based on my research I'm seeing the following blockers: • Microsoft Windows Defender ATP portal doesn’t support identities from external Azure Active Directories (Azure B2B) • Microsoft Windows Defender ATP doesn’t seem to support multi-tenancy based on a single identity and allow for tenant switch between customers For reference: https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/19804000-switch-tenant-in-portal-office-com-aka-make-portal or https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/33123178-tenant-selector-for-when-one-account-has-company-a Thanks. Best Regards, Peter Selch Dahl
Evald Markinzon's avatar
Evald Markinzon
Icon for Microsoft rankMicrosoft
Feb 18, 2019

Hi Peter,

Thank you for your feedback.

  1. The answer to your first question is "Yes" - Windows Defender ATP RBAC also works with Azure B2B. This functionality allows MSSPs delivering Managed Detection and Response services on top of Windows Defender ATP like in your case. All you need to do is to add B2B guest user to one of the AAD user groups you created for RBAC. The functionality, outlined in this blog will work as expected.
  2. If I understand correctly your second question, you are looking for single sign-on using B2B user into different customers tenants . Correct? This is also supported. The link to Windows Defender ATP alert in email notifications and SIEM API is a deep link that takes you to alert in specific customer tenant (according to Tenant Id) that in conjunction with B2B "guest" user single sign-on allows you to login into different customers portals using single identify. Of course, the "guest" user shall be "invited" by customer using B2B services.

Let me know if you have any further questions,

Thanks, Evald.